TShark timestamp precision

asked 2022-12-08 15:27:15 +0000

ray13
3 ●2

Hello,

When I use a command like the following:

tshark -r file.pcap -t a -Tfields -e _ws.col.Time -e field2 -e field3 -e field4

It will print each line beginning with the time of capture, without a date:

15:19:37.268975802

This shows me the time with nanosecond precision, however I was wondering if there's any way to remove that part and show seconds only.

I can easily do this in Wireshark (View > Time Display Format > Seconds) but I couldn't find any way to do it with TShark even after reading the manpage.

answered 2022-12-08 16:17:01 +0000

Chuckc
2858 ●5 ●568 ●19

updated 2022-12-08 16:20:44 +0000

You could make an Enhancement request for tshark to use recent.gui_time_precision:

# Timestamp display precision.
# One of: AUTO, SEC, DSEC, CSEC, MSEC, USEC, NSEC
gui.time_precision: SEC

Or another tshark command line option. Maybe --tp for timestamp precision.

Looks like there is precedent for tshark following gui preferences:
17132: Add optional timestamp to -x option in tshark

tshark -r [in.pcap] -o gui.column.format:"Time","%t" -t ad -P -x | text2pcap -t "%Y-%m-%d %H:%M:%S." - [out.pcap]

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

TShark timestamp precision

1 Answer

Your Answer

Question Tools

Stats

Related questions

TShark timestamp precision edit

1 Answer

Your Answer

Question Tools

Stats

Related questions

TShark timestamp precision