tshark export data with epoch time

edit

-t only affects the timestamp in the summary lines.

~$ tshark -r ./tcptst_out.pcap
    1   0.000000 104.18.91.105 192.168.200.135 TCP   443 → 18082 [FIN, ACK] Seq=1 Ack=1 Win=68 Len=0

~$ tshark -r ./tcptst_out.pcap -t e
    1 1592016429.488229 104.18.91.105 192.168.200.135 TCP   443 → 18082 [FIN, ACK] Seq=1 Ack=1 Win=68 Len=0

~$ tshark -r ./tcptst_out.pcap -t u
    1 02:47:09.488229 104.18.91.105 192.168.200.135 TCP   443 → 18082 [FIN, ACK] Seq=1 Ack=1 Win=68 Len=0

tshark man page:

-t a|ad|adoy|d|dd|e|r|u|ud|udoy

Set the format of the packet timestamp printed in summary lines. The format can be one of:

This is where the timestamp is set when writing -F k12text:

wiretap/k12text.l:

    ms = rec->ts.nsecs / 1000000;
    ns = (rec->ts.nsecs - (1000000*ms))/1000;

    tmp = gmtime(&rec->ts.secs);
    if (tmp == NULL)
        snprintf(p, 90, "+---------+---------------+----------+\r\nXX:XX:XX,");
    else
        strftime(p, 90, "+---------+---------------+----------+\r\n%H:%M:%S,", tmp);
    wl = strlen(p);
    p += wl;
    left -= wl;

    wl = snprintf(p, (gulong)left, "%.3d,%.3d   %s\r\n|0   |", ms, ns, str_enc);

~$ cat tmp.txt
+---------+---------------+----------+
02:47:09,488,229   ETHER
|0   |ec|f4|bb|4a|4e|de|f0|9f|c2|df|16|1f|08|00|45|00|00|28|ad|4a|40|00|3c|06|44|da|68|12|5b|69|c0|a8|c8|87|01|bb|46|a2|02|c6|0f|66|bc|e2|7e|d5|50|11|00|44|cc|a2|00|00|00|00|25|c4|b8|3b|