Ask Your Question
0

how to filter pcap file with time range as display filter using tshark

asked 2024-01-09 10:57:29 +0000

We playing DTMF digits on poly phone through our java based app and we capturing start time and end time of playing dtmf digits and also capturing trace for this dtmf . Once all this process completed, we have pcap file with dtmf events.This pcap file also have other packets of SIP signal. Now we want to filter pcap file for packets which are fall between captured start and end time in java app by passing these two time stamps to tshark command as display filter. So which timestamp i have to consider in packet rtp.timestamp or frame.time what is the time format? Please help me to achieve this problem.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-01-09 14:22:32 +0000

SYN-bit gravatar image

Easiest way I think is to extract the epoch timestamps from the first capture and then use them with editcap to extract the timerange from the second (java) pcap.

tshark -r file1.pcapng -T fields -e frame.time_epoch will get you the list of epoch timestamps of all packets. Get the first and the last one and use that for:

editcap -A <first epoch timestamp> -B <last epoch timestamp> file2.pcapng file2-extract.pcapng will create a new file out of the second pcap with the packets in the selected timerange

Or you can use the first and last epoch timestamp in a display filter like frame.time_epoch in {<first epoch timestamp> .. <last epoch timestamp>}

edit flag offensive delete link more

Comments

We will play DTMF digits 123 from java app, So we will record start time and end time of this playing dtmf digits action in our java code.

What our intentions is to filter packets in between these two time stamps by passing these two time stamps to tshark command through java application , like tshark -r TestRTPSIP.pcap -Y frame.time >= startTime && frame.time <= endTime -T fields -e rtpevent.event_id

shall I do as above Or I can see timestamp in rtp packets also, so can I use it? In our case i can see 0.000000 for frame.time For rtp, rtp. timestamp is Timestamp: 3384783737 So Shall I convert my java captured time into epoch?

Please suggest me way to use timestamp based filter.

Balaji Ratnala gravatar imageBalaji Ratnala ( 2024-01-11 03:36:47 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-01-09 10:57:29 +0000

Seen: 1,005 times

Last updated: Jan 09 '24