reg expressions in display filters

edit

I made a small python gist to create a pcap from packets where the output of a display filter matches a given regex. In your case, you would use:

python reshark.py <your.pcap> frame.time "Jan 27, 2019 \d{2}:\5[4-5]"

Obligatory reference to Regular vs Context-Free Grammars

Unfortunately you can't use a regex on a date/time field and neither can you convert the date/time field to a string with "string(frame.time)" (which does work on other types of fields). I see no way to solve this with display filters. However, using tshark you may be able to solve this.

To get a list of all frame numbers that match the timeframe *:54:00 to *:55:59 you can use:

tshark -r <file> -T fields -e frame.number -e frame.time | grep "2019 .*:5[45]:" | cut -f 1 | xargs

Then you can feed this into a second tshark command to extract the packets:

tshark -r <file> -w <newfile -Y "$( tshark -r pbx.pcapng -T fields -e frame.number -e frame.time | grep "2019 .*:5[45]:" | cut -f 1 | xargs )"