This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I display absolute time and delta at the same time with tshark?

0

Hi,

When you use tshark without -V option, it would extract the frames to the format like below.

$ tshark -tad -r <packet capture="" file=""> <frame number=""> <absolute time=""> <source ip=""> <destination ip=""> <description of="" packet="" such="" as="" nfs="" v3="" getattr="">.

I would like to make it something like below.

<frame number=""> <absolute time=""> <difference with="" previous="" packet=""> <source ip=""> <destination ip=""> <description of="" packet="" such="" as="" nfs="" v3="" getattr="">.

Is there an option to do such with shark or I need to have two different text and join the fields together?

Thank you in advance,

-hisao

asked 14 Mar '14, 04:36

CarpeDiem's gravatar image

CarpeDiem
11113
accept rate: 0%


One Answer:

4

This is very similar to what was asked in the "tshark - How to output date in ISO format?" question, so you can refer to my answer there, but in a nutshell for your particular case:

  • Start Wireshark and add 2 columns, using Edit -> Preferences -> Columns -> Add. These 2 columns are the "Absolute date and time" and "Delta time displayed" columns. Give them appropriate names, e.g., "AbsTime" and "DeltaTime", respectively. If you don't want these columns displayed in Wireshark itself, then they can be marked as hidden by clearing the checkmark in the "Displayed" box.
  • Save the column preferences and exit Wireshark.
  • From the command-line, you can now run tshark as follows:

    tshark.exe -r file.pcap -T fields -E header=y -e frame.number -e col.AbsTime -e col.DeltaTime -e col.Source -e col.Destination -e col.Protocol -e col.Length -e col.Info

You can use -e frame.time instead of -e col.AbsTime if you prefer that format, in which case you don't have to add the "AbsTime" column in Wireshark. You can also use -e frame.len instead of -e col.Length as they're essentially the same.

answered 14 Mar '14, 06:55

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thank you. This seems what I needed.

(15 Mar '14, 05:20) CarpeDiem

$ tshark -r ./snoop-e1000g0-20140315-123743.out -T fields -E header=y -e frame.number -e frame.time -e frame.time_delta -e ip.src -e ip.dst -e tcp.srcport | head frame.number frame.time frame.time_delta ip.src ip.dst tcp.srcport 1 Mar 15, 2014 21:37:43.470376000 0.000000000 192.168.150.1 192.168.150.18 49906 2 Mar 15, 2014 21:37:43.470787000 0.000411000 192.168.150.1 192.168.150.18 49906 3 Mar 15, 2014 21:37:43.470805000 0.000018000 192.168.150.18 192.168.150.1 215 4 Mar 15, 2014 21:37:43.471398000 0.000593000 192.168.150.1 192.168.150.18 49906 5 Mar 15, 2014 21:37:43.471800000 0.000402000 192.168.150.1 192.168.150.18 49906 6 Mar 15, 2014 21:37:43.471813000 0.000013000 192.168.150.18 192.168.150.1 215 7 Mar 15, 2014 21:37:43.472568000 0.000755000 192.168.150.18 192.168.150.1 215 8 Mar 15, 2014 21:37:43.472859000 0.000291000 192.168.150.1 192.168.150.18 49906 9 Mar 15, 2014 21:37:43.811069000 0.338210000 192.168.150.1 192.168.150.255

This however does not show me the payload. It seems that I need to look into the reference a bit more. "Display Filter Reference": http://www.wireshark.org/docs/dfref/#section_m

(15 Mar '14, 06:36) CarpeDiem

You seem to be asking a different question, "How to show the payload?" Please post a new question instead of continuing to comment on this one, which already has an answer.

(15 Mar '14, 07:40) cmaynard ♦♦