THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Display filter - "show last 5 minutes of the capture file"

  • retag add tags

Hi all,

I've got an interesting question from one of subscribers:

How to create display filter which will show only last 5 minutes in a capture file?

The best I could guess is to go to the last packet, remember it's "seconds from beginning" value, subtract 300, make a filter frame.time_relative <= computed_before_value

Is there an easier way?

If display filters had supported arithmetical operations I could've done the next: go to the last packet and apply a filter like frame.time_relative <= ${frame.time_relative} - 300 But this is not possible as I understand.

Thanks

Packet_vlad's avatar
1.1k
Packet_vlad
asked 2019-01-24 08:00:42 +0000, updated 2019-01-24 10:21:53 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

As display filters work on a packet by packet basis then the time to test against must be known for each test, and there are (currently) no filters that refer to absolute values from the capture, e.g. your $frame.time which I guess you would like to be the time of the last packet.

grahamb's avatar
23.8k
grahamb
answered 2019-01-24 10:07:39 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi Graham, sorry, I've misspelled my filters a bit. Just have corrected them.

I can refer to last packet's relative time by selecting it first and playing with ${frame.time_relative} expression, but I can't apply any arithmetical shift (say, "subtract some value" operation).

Packet_vlad's avatar Packet_vlad (2019-01-24 10:21:43 +0000) edit
more
  • delete

Ok, I think the concept of a filter value that is derived from first\last packet time is viable. For the last packet there would have to be a first pass through the capture, which is OK.

To implement this would require an enhancement request at the Wireshark Bugzilla.

grahamb's avatar grahamb (2019-01-24 10:25:29 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer