This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Data about old packets

0

Hi everybody: I would want to know how to see data about old packets(For example:Select a packet of 6 days ago).Is it possible? Thanks in advance. Francisco.

asked 04 Apr '15, 14:22

3J%20Kernel's gravatar image

3J Kernel
11114
accept rate: 0%

2 Answers:

1

I believe, you are asking how to view data in Wireshark that has been sent over the network a couple of days ago. If so, that's not possible if you started Wireshark only today. Please see my answer to a similar question:

https://ask.wireshark.org/questions/30120/search-a-package-in-specific-time

If I misinterpreted your question, the answer of @mrEEde is the right answer.

Regards
Kurt

answered 06 Apr '15, 04:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Yes, I mean that question.Thanks for the answer(and thank you to @mrEEde for his answer too)

(06 Apr '15, 07:24) 3J Kernel

0

If I understand your question correctly you are looking for display filter. The time display format can be changed to seconds since epoch. If your current epoch time is frame.time_epoch == 1427705316.066260000 and you want to see packets 6 days ago you need to substract 3600x24x6 518400 seconds and you get the epoch time from 6 days earlier and construct a display filter using

frame.time_epoch gt aaaaaaaaaa and frame.time_epoch lt bbbbbbbbbb

- It's probably easier to use the editcap -A -B options and specify the desired timeframe

editcap -A 2015-03-3017:18:32 -B 2015-03-3017:24:00 originalfile.pcapng t171832h.pcapng

Regards Matthias

answered 04 Apr '15, 23:51

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 04 Apr '15, 23:57