This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to convert pcap file to text file with correct timestamp using tshark ?

0

What are the tshark options to be used to read/convert a pcap file to a text file, with its default one-line description, but with correct timestamps ?

It increments from 0.0 by default, but I want the exact unix time for each of the packets in the text file along with the default values.

I'm using the below command currently

tshark -i - < srcfile.cap > destfile.txt

asked 10 Feb '15, 14:01

mlnsharma's gravatar image

mlnsharma
6112
accept rate: 0%

2 Answers:

1

What @Jasper said, or use the tshark CLI options, see tshark -h:

-t a|ad|d|dd|e|r|u|ud    output format of time stamps (def: r: rel. to first)

so, tshark -r srcfile.pcap -t ad > destfile.txt will do the trick.

answered 10 Feb '15, 16:24

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I wanted it in tshark only, not the GUI and this works. Thanks !

(11 Feb '15, 06:15) mlnsharma

1

Change the time column display format in the default preferences, e.g. by running Wireshark and using Edit -> Preferences -> User Interface -> Columns. Set "Time" value to "Absolute Date and Time" (or any other time format you like).

tshark uses the default profile by default (no pun intended), so whatever you set in that profile is going to be used by tshark (unless you force a different profile setting via command line parameter)

answered 10 Feb '15, 15:32

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%