I would like to use tshark to SUM tcp.delta_time in a pcap. But clearly I'm fumbling something. Pointers?
tshark 2.6.10 guru> tshark -r sample.pcapng –Y tcp.dstport==443 -o tcp.calculate_timestamps:TRUE -z io,stat,0,"SUM(tcp.time_delta)tcp.time_delta" guru> tshark: "" was unexpected in this context
Seems to me that the use of "" is required in this context ... what is this error telling me?
tshark 3.20.0 C:\Temp>tshark -r sample.pcapng -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -z io,stat,0."SUM(tcp.time_delta)tcp.time_delta"
tshark: invalid "-z io,stat,<interval>[,<filter>][,<filter>]..." argument
C:\Temp>
Seems like tshark is interpreting this line as belonging to the standard class of '-z io,stat' lines ... whereas I would prefer that it interpret my options as belonging to the "COUNT|SUM|MIN|MAX|AVG|LOAD" approach (https://www.wireshark.org/docs/man-pages/tshark.html) ... but again, i don't see why tshark is interpreting my options this way
Googling, I can find syntax which looks similar to me https://seclists.org/wireshark/2011/Nov/111 https://www.wireshark.org/lists/wireshark-users/201305/msg00022.html
But apparently, I'm not copying as accurately as I would like from these past posts.
Suggestions?
--sk
Stuart Kendrick
