I loaded a large file into Wireshark. I can click "Go -> Go to packet..." and type in 1000 to go to the 1000th packet.
I click "View -> Time Display Format -> Date and Time of Day (1970-01-01 01:02:03.123456)" so that each packet shows a time.
I know a packet has time "2025-07-31 10:10:10.123456789". How do I find that packet without manually scroll around the window?
There's a few ways to filter on time (and then, if you like clear the filter while keeping the selected packet), but there's no support for exactly what you ask, partly because capture files are not always in chronological order (sometimes unavoidably when there are multiple interfaces due to the OS drivers). You can also enter such filters into Find Packet and search forward and backward by filter. That should work.
See the enhancement request here: https://gitlab.com/wireshark/wireshar...
For an absolute time:
frame.time == "2025-07-31 10:10:10.123456789"
That's pretty tight so maybe specify a range:
frame.time > "2025-07-31 10:10:10" and frame.time < "2025-07-31 10:10:11"
You should be able to use abs() to specify a time difference:
abs(frame.time - "2025-07-31 10:10:11") < 0.2
but there is a bug that prevents it from working with some timestamps (will open issue tomorrow).
This duct tape fix seems to work properly:
abs(double(frame.time - "2025-07-31 10:10:10")) < 0.2
Oops: double() and float() not in current (4.4) release branch.
abs()not working can be tested with https://weberblog.net/the-ultimate-pcap/.abs(double(frame.time - "2020-11-25 10:47:05.000000000")) < 0.2 filters correctly.abs(frame.time - "2020-11-25 10:47:05.000000000") < 0.2
matches packets outside the time delta.
Discussion started on 6722: dfilter: Allow arithmetic expressions as function arguments
Asked: 2025-07-31 00:56:53 +0000
Seen: 31 times
Last updated: 16 hours ago
