First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Absolute time in tshark

Hi,

Could you please advise how to display absolute time in tshark output. Now I'm trying to add "-e _ws.col.AbsTime" but nothing is displaying in this field.

Full command looks like:

tshark -r /var/lib/tshark/dump/trafficdump.pcap -Y "(fix.MsgType ~ D or fix.MsgType ~ F or fix.MsgType ~ G) and not tcp.analysis.retransmission" -T fields -E header=y -e frame.time -e frame.timeepoch -e fix.MsgType -e fix.ClOrdID -e fix.SenderCompID -e fix.ExecType -e fix.TargetCompID -e _ws.col.AbsTime

Tshark version: TShark (Wireshark) 2.6.3 (v2.6.3)

Thanks in advance!

Alexander's avatar
1
Alexander
asked 2018-10-05 08:32:03 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

The _ws.col.xxx field specifies only output a value if you have a column named xxx in your profile, i.e. they allow you to output any configured column.

grahamb's avatar
23.8k
grahamb
answered 2018-10-05 08:55:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

In case you don't want to modify Wireshark columns or even necessarily have to rely on them, one alternative is to make use of the -o <preference>:<value> option to explicitly set the gui.column.format. For example:

tshark -r /var/lib/tshark/dump/trafficdump.pcap -Y "(fix.MsgType ~ D or fix.MsgType ~ F or fix.MsgType ~ G) and not tcp.analysis.retransmission" -o 'gui.column.format:"Time","%t","TimeEpoch","%Cus:frame.time_epoch","MsgType","%Cus:fix.MsgType","ClOrdID","%Cus:fix.ClOrdID","SenderCompID","%Cus:fix.SenderCompID","ExecType","%Cus:fix.ExecType","TargetCompID","%Cus:fix.TargetCompID","AbsTime","%Yt"'

Run tshark -G column-formats for the list of "built-in" column formats.

You could also create a separate Fix profile in Wireshark with whatever columns you want and then just have tshark use that profile. For example:

tshark -r /var/lib/tshark/dump/trafficdump.pcap -Y "(fix.MsgType ~ D or fix.MsgType ~ F or fix.MsgType ~ G) and not tcp.analysis.retransmission" -C Fix

Refer to the tshark man page for more information.

cmaynard's avatar
11.1k
cmaynard
answered 2018-10-05 15:44:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer