 | 1 | initial version |
If you're using tshark's -T fields along with -e x509af.utcTime, then you may be able to achieve what you want by making use of the -E occurrence=f option, which will only give you the first occurrence of the field and not all occurrences. Here I'm assuming the first occurrence is the one you're after. Example:
tshark -r file.pcap -Y x509af.utcTime -T fields -e frame.number -e x509af.utcTime -E occurrence=f
From the tshark man page:
occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).
Alternatively, you can specify the occurrence of individual fields by using the gui.column.format option. For example:
Windows:
tshark -r file.pcap -Y x509af.utcTime -o "gui.column.format:\"No.\",\"%m\",\"x509af.utcTime\",\"%Cus:x509af.utcTime:f\""
*nix:
tshark -r file.pcap -Y x509af.utcTime -o 'gui.column.format:"No.","%m","x509af.utcTime","%Cus:x509af.utcTime:1"'
Run tshark -G column-formats for help with built-in column formats, such as %m.
| | 2 | No.2 Revision |
If you're using tshark's -T fields along with -e x509af.utcTime, then you may be able to achieve what you want by making use of the -E occurrence=f option, which will only give you the first occurrence of the field and not all occurrences. Here I'm assuming the first occurrence is the one you're after. Example:
tshark -r file.pcap -Y x509af.utcTime -T fields -e frame.number -e x509af.utcTime -E occurrence=f
From the tshark man page:
occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).
Alternatively, you can specify the occurrence of individual fields by using the gui.column.format option. For example:
Windows:
tshark -r file.pcap -Y x509af.utcTime -o "gui.column.format:\"No.\",\"%m\",\"x509af.utcTime\",\"%Cus:x509af.utcTime:f\""
"gui.column.format:\"No.\",\"%m\",\"x509af.utcTime\",\"%Cus:x509af.utcTime:1\""
*nix:
tshark -r file.pcap -Y x509af.utcTime -o 'gui.column.format:"No.","%m","x509af.utcTime","%Cus:x509af.utcTime:1"'
Run tshark -G column-formats for help with built-in column formats, such as %m.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.