Ask Your Question

Revision history [back]

I think this is likely the output format of the -z diameter,avp option. From the tshark manual:

-z diameter,avp[,cmd.code,field,field,...]
This option enables extraction of most important diameter fields from large capture files. Exactly one text line for each diameter message with matched diameter.cmd.code will be printed.


tshark -r file.cap.gz -q -z diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code

Following fields will be printed out for each diameter message:

  "frame"        Frame number.
  "time"         Unix time of the frame arrival.

So it would seem that the option prints out the Unix time as you have found. You can either post process the output, or attempt to emulate what -z diameter,avp does using -T fields -e ... and appropriate display filters.