Hi.
I trying to get the output of the frame.time in a format like 2020-01-01 12:01:01, but I cannot seem to find out how to do that.
I am using a command like
tshark -r 0001.pcap -T fields -e frame.time -e ip.src -e ip.dst
Current result is
May 20, 2020 12:01:01.000000001 [ip] [ip]
but what I want is
2020-05-20 12:01:01.000000001 [ip] [ip]
How do I do that???
As suggested by bubbasnmp you can use -e _ws.col.Time. You can then use tshark's -t option to change the way that column is presented. To see the list of -t formats enter:
tshark -t.
Here's an example using the -t ad format:
$ tshark -r my.pcapng -t ad -T fields -e _ws.col.Time -e ip.src -e ip.dst
2020-05-22 16:15:02.210876 10.1.1.1 10.2.2.2
2020-05-22 16:15:02.212657 10.2.2.2 10.1.1.1
And the same capture using the -t ud format:
$ tshark -r my.pcapng -t ud -T fields -e _ws.col.Time -e ip.src -e ip.dst
2020-05-22 20:15:02.210876 10.1.1.1 10.2.2.2
2020-05-22 20:15:02.212657 10.2.2.2 10.1.1.1
To avoid the need for recompiling Wireshark, you could consider implementing a Lua post-dissector that reformats the frame.time field however you like. Below is one such Lua post-dissector that you may find useful. To use it, you will need to save it in your Wireshark plugins directory or explicitly specify to use it on the tshark command line.
local framepost = Proto("framepost", "frame post-dissector")
local pf = {
ft = ProtoField.string("framepost.time", "Arrival Time")
}
-- Register protocol fields
framepost.fields = pf
local ft = Field.new("frame.time")
local function mon2num(mon)
local mons = {
["Jan"] = 1, ["Feb"] = 2, ["Mar"] = 3, ["Apr"] = 4, ["May"] = 5, ["Jun"] = 6,
["Jul"] = 7, ["Aug"] = 8, ["Sep"] = 9, ["Oct"] = 10, ["Nov"] = 11, ["Dec"] = 12
}
return mons[mon]
end
function framepost.dissector(tvbuf, pinfo, tree)
local ft_ex = ft()
if ft_ex ~= nil then
local framepost_tree = tree:add(framepost, "Frame Postdissector")
local ft = ft_ex.display:gsub('(%a+)%s+(%d+),%s+(%d+)(.)',
function(m, d, y, t)
return y .. "-" .. ("%02d"):format(mon2num(m)) .. "-" .. ("%02d"):format(d) .. t
end)
framepost_tree:add(pf.ft, ft)
end
end
register_postdissector(framepost)
Example Usage:
tshark -r 0001.pcap -X lua_script:framepost.lua -T fields -e framepost.time -e ip.src -e ip.dst
Oh yeah, it's definitely going to be slower than if it was built-in. It's still a work-around, but it may suffice for many use cases. (Most, if not all, of the Lua dissectors, post-dissectors, taps, etc. that I post here and elsewhere probably fit this category - better than nothing but not ideal.)
I agree that an enhancement bug report could be filed as you suggested. For one thing, I think it'd be nice to be able to display ISO 8601 date/timestamps.
You would have to recompile Wireshark to do so, currently the format is hard-coded, see abs_time_to_str() in epan\to_str.c.
You could post-process the output using the tool of your choice to reformat the date.
You could submit an enhancement request to the Wireshark Bugzilla to add a field that allows the time format to be specified.
If this is still for Splunk, I believe by using Google and looking at their docs (I have never used Splunk) you can specify a time format for import, see Configure Timestamp Recognition and the TIME_FORMAT option. I'll leave the working out of that format as an exercise for the reader, but as a hint look at the examples.
Asked: 2020-05-22 08:23:39 +0000
Seen: 10,398 times
Last updated: Aug 03 '22
Is it similar to this question ?
Will
_ws.col.Timework for you?Hi Folks, sorry to ask such a stupid question regarding this topic. I basically have the same topic as the threadstarter, but with a small difference. If i use the command "_ws.col.Time" on my linux system, no output is written in my .txt file. If i use frame.time, the output in the format frome above will be saved...
I also retried the same command line on my windows systems; there it works fine with "_ws.col.Time"...
Im totally confused why this behavior stucks on my Linux system (which is preferred to be used for decoding).
Best regards Julius
Are you using the same version (
tshark -v) and same profile on both systems?(see 11.6. Configuration Profiles for Export/Import)
@Julius, please ask a separate question rather than piggy-backing on this one. Your question is not the same as the original question posed here and any answer will be different as well.