Ask Your Question
0

Display filter - "show last 5 minutes of the capture file"

asked 2019-01-24 08:00:42 +0000

Packet_vlad gravatar image

updated 2019-01-24 10:21:53 +0000

Hi all,

I've got an interesting question from one of subscribers:

How to create display filter which will show only last 5 minutes in a capture file?

The best I could guess is to go to the last packet, remember it's "seconds from beginning" value, subtract 300, make a filter frame.time_relative <= computed_before_value

Is there an easier way?

If display filters had supported arithmetical operations I could've done the next: go to the last packet and apply a filter like frame.time_relative <= ${frame.time_relative} - 300 But this is not possible as I understand.

Thanks

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-01-24 10:07:39 +0000

grahamb gravatar image

As display filters work on a packet by packet basis then the time to test against must be known for each test, and there are (currently) no filters that refer to absolute values from the capture, e.g. your $frame.time which I guess you would like to be the time of the last packet.

edit flag offensive delete link more

Comments

Hi Graham, sorry, I've misspelled my filters a bit. Just have corrected them.

I can refer to last packet's relative time by selecting it first and playing with ${frame.time_relative} expression, but I can't apply any arithmetical shift (say, "subtract some value" operation).

Packet_vlad gravatar imagePacket_vlad ( 2019-01-24 10:21:43 +0000 )edit

Ok, I think the concept of a filter value that is derived from first\last packet time is viable. For the last packet there would have to be a first pass through the capture, which is OK.

To implement this would require an enhancement request at the Wireshark Bugzilla.

grahamb gravatar imagegrahamb ( 2019-01-24 10:25:29 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-01-24 08:00:42 +0000

Seen: 832 times

Last updated: Jan 24 '19

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2