Absolute time in tshark

edit

In case you don't want to modify Wireshark columns or even necessarily have to rely on them, one alternative is to make use of the -o <preference>:<value> option to explicitly set the gui.column.format. For example:

tshark -r /var/lib/tshark/dump/trafficdump.pcap -Y "(fix.MsgType ~ D or fix.MsgType ~ F or fix.MsgType ~ G) and not tcp.analysis.retransmission" -o 'gui.column.format:"Time","%t","TimeEpoch","%Cus:frame.time_epoch","MsgType","%Cus:fix.MsgType","ClOrdID","%Cus:fix.ClOrdID","SenderCompID","%Cus:fix.SenderCompID","ExecType","%Cus:fix.ExecType","TargetCompID","%Cus:fix.TargetCompID","AbsTime","%Yt"'

Run tshark -G column-formats for the list of "built-in" column formats.

You could also create a separate Fix profile in Wireshark with whatever columns you want and then just have tshark use that profile. For example:

tshark -r /var/lib/tshark/dump/trafficdump.pcap -Y "(fix.MsgType ~ D or fix.MsgType ~ F or fix.MsgType ~ G) and not tcp.analysis.retransmission" -C Fix

Refer to the tshark man page for more information.

The _ws.col.xxx field specifies only output a value if you have a column named xxx in your profile, i.e. they allow you to output any configured column.