 | 1 | initial version |
Easiest way I think is to extract the epoch timestamps from the first capture and then use them with editcap to extract the timerange from the second (java) pcap.
tshark -r file1.pcapng -T fields -e frame.time_epoch will get you the list of epoch timestamps of all packets. Get the first and the last one and use that for:
editcap -A <first epoch timestamp> -B <last epoch timestamp> file2.pcapng file2-extract.pcapng will create a new file out of the second pcap with the packets in the selected timerange
Or you can use the first and last epoch timestamp in a display filter like frame.time_epoch in {<first epoch timestamp> .. <last epoch timestamp>}
