Ask Your Question
0

Absolute time in tshark

asked 2018-10-05 08:32:03 +0000

Alexander gravatar image

Hi,

Could you please advise how to display absolute time in tshark output. Now I'm trying to add "-e _ws.col.AbsTime" but nothing is displaying in this field.

Full command looks like:

tshark -r /var/lib/tshark/dump/trafficdump.pcap -Y "(fix.MsgType ~ D or fix.MsgType ~ F or fix.MsgType ~ G) and not tcp.analysis.retransmission" -T fields -E header=y -e frame.time -e frame.timeepoch -e fix.MsgType -e fix.ClOrdID -e fix.SenderCompID -e fix.ExecType -e fix.TargetCompID -e _ws.col.AbsTime

Tshark version: TShark (Wireshark) 2.6.3 (v2.6.3)

Thanks in advance!

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-10-05 15:44:56 +0000

cmaynard gravatar image

In case you don't want to modify Wireshark columns or even necessarily have to rely on them, one alternative is to make use of the -o <preference>:<value> option to explicitly set the gui.column.format. For example:

tshark -r /var/lib/tshark/dump/trafficdump.pcap -Y "(fix.MsgType ~ D or fix.MsgType ~ F or fix.MsgType ~ G) and not tcp.analysis.retransmission" -o 'gui.column.format:"Time","%t","TimeEpoch","%Cus:frame.time_epoch","MsgType","%Cus:fix.MsgType","ClOrdID","%Cus:fix.ClOrdID","SenderCompID","%Cus:fix.SenderCompID","ExecType","%Cus:fix.ExecType","TargetCompID","%Cus:fix.TargetCompID","AbsTime","%Yt"'

Run tshark -G column-formats for the list of "built-in" column formats.

You could also create a separate Fix profile in Wireshark with whatever columns you want and then just have tshark use that profile. For example:

tshark -r /var/lib/tshark/dump/trafficdump.pcap -Y "(fix.MsgType ~ D or fix.MsgType ~ F or fix.MsgType ~ G) and not tcp.analysis.retransmission" -C Fix

Refer to the tshark man page for more information.

edit flag offensive delete link more
add a comment
0

answered 2018-10-05 08:55:12 +0000

grahamb gravatar image

The _ws.col.xxx field specifies only output a value if you have a column named xxx in your profile, i.e. they allow you to output any configured column.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-10-05 08:32:03 +0000

Seen: 1,005 times

Last updated: Oct 05 '18

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2