Ask Your Question
0

Tshark frame.time format

asked 2020-05-22 08:23:39 +0000

rnb gravatar image

Hi.

I trying to get the output of the frame.time in a format like 2020-01-01 12:01:01, but I cannot seem to find out how to do that.

I am using a command like

tshark -r 0001.pcap -T fields -e frame.time -e ip.src -e ip.dst

Current result is

May 20, 2020 12:01:01.000000001 [ip] [ip]

but what I want is

2020-05-20 12:01:01.000000001 [ip] [ip]

How do I do that???

edit retag flag offensive close merge delete

Comments

Is it similar to this question ?
Will _ws.col.Time work for you?

Chuckc gravatar imageChuckc ( 2020-05-22 20:46:13 +0000 )edit

3 Answers

Sort by ยป oldest newest most voted
1

answered 2020-05-23 05:25:02 +0000

Jim Young gravatar image

updated 2020-05-23 15:15:31 +0000

cmaynard gravatar image

As suggested by bubbasnmp you can use -e _ws.col.Time. You can then use tshark's -t option to change the way that column is presented. To see the list of -t formats enter:

tshark -t.

Here's an example using the -t ad format:

$ tshark -r my.pcapng -t ad -T fields -e _ws.col.Time -e ip.src -e ip.dst
2020-05-22 16:15:02.210876  10.1.1.1    10.2.2.2
2020-05-22 16:15:02.212657  10.2.2.2    10.1.1.1

And the same capture using the -t ud format:

$ tshark -r my.pcapng -t ud -T fields -e _ws.col.Time -e ip.src -e ip.dst
2020-05-22 20:15:02.210876  10.1.1.1    10.2.2.2
2020-05-22 20:15:02.212657  10.2.2.2    10.1.1.1
edit flag offensive delete link more

Comments

Cool! That works perfectly! Thank you very much.

rnb gravatar imagernb ( 2020-05-23 12:30:25 +0000 )edit
0

answered 2020-05-22 15:33:54 +0000

cmaynard gravatar image

updated 2020-05-22 15:43:29 +0000

To avoid the need for recompiling Wireshark, you could consider implementing a Lua post-dissector that reformats the frame.time field however you like. Below is one such Lua post-dissector that you may find useful. To use it, you will need to save it in your Wireshark plugins directory or explicitly specify to use it on the tshark command line.

local framepost = Proto("framepost", "frame post-dissector")

local pf = {
    ft = ProtoField.string("framepost.time", "Arrival Time")
}

-- Register protocol fields
framepost.fields = pf

local ft = Field.new("frame.time")

local function mon2num(mon)
    local mons = {
        ["Jan"] = 1, ["Feb"] = 2, ["Mar"] = 3, ["Apr"] = 4, ["May"] = 5, ["Jun"] = 6,
        ["Jul"] = 7, ["Aug"] = 8, ["Sep"] = 9, ["Oct"] = 10, ["Nov"] = 11, ["Dec"] = 12
    }

    return mons[mon]
end

function framepost.dissector(tvbuf, pinfo, tree)
    local ft_ex = ft()
    if ft_ex ~= nil then

        local framepost_tree = tree:add(framepost, "Frame Postdissector")

        local ft = ft_ex.display:gsub('(%a+)%s+(%d+),%s+(%d+)(.)',
            function(m, d, y, t)
                return y .. "-" .. ("%02d"):format(mon2num(m)) .. "-" .. ("%02d"):format(d) .. t
            end)

        framepost_tree:add(pf.ft, ft)
    end
end

register_postdissector(framepost)

Example Usage:

tshark -r 0001.pcap -X lua_script:framepost.lua -T fields -e framepost.time -e ip.src -e ip.dst
edit flag offensive delete link more

Comments

Good option Chris, I keep forgetting about post-dissectors. I presume performance would be affected if using larger captures, but I have no idea how much. A lua dissector against a C dissector is approx 2.5 times slower in my basic tests.

grahamb gravatar imagegrahamb ( 2020-05-22 15:39:28 +0000 )edit

Oh yeah, it's definitely going to be slower than if it was built-in. It's still a work-around, but it may suffice for many use cases. (Most, if not all, of the Lua dissectors, post-dissectors, taps, etc. that I post here and elsewhere probably fit this category - better than nothing but not ideal.)

I agree that an enhancement bug report could be filed as you suggested. For one thing, I think it'd be nice to be able to display ISO 8601 date/timestamps.

cmaynard gravatar imagecmaynard ( 2020-05-22 15:50:22 +0000 )edit
0

answered 2020-05-22 09:41:40 +0000

grahamb gravatar image

You would have to recompile Wireshark to do so, currently the format is hard-coded, see abs_time_to_str() in epan\to_str.c.

You could post-process the output using the tool of your choice to reformat the date.

You could submit an enhancement request to the Wireshark Bugzilla to add a field that allows the time format to be specified.

If this is still for Splunk, I believe by using Google and looking at their docs (I have never used Splunk) you can specify a time format for import, see Configure Timestamp Recognition and the TIME_FORMAT option. I'll leave the working out of that format as an exercise for the reader, but as a hint look at the examples.

edit flag offensive delete link more

Comments

Okay. That is too bad. For now I will see if I can find a workarround.

Thanks!

(Btw. Not sure were the Splunk comes from, I don't think I ever asked a question about that... ;)

rnb gravatar imagernb ( 2020-05-22 11:12:56 +0000 )edit

OK, I mistakenly thought it was a follow on from this question.

grahamb gravatar imagegrahamb ( 2020-05-22 11:31:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-05-22 08:23:39 +0000

Seen: 76 times

Last updated: May 23