This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter 1second fragment with the tshark

0

Hello.

When I try to extract like this:

tshark -r $suff.pcap.gz -R "frame.time_relative <= 1" -2 -q -w $host4dump.1sec.cap

I get what I want except for the fact that each packet has a time value 0.000000000(Jan 1, 1970 03:00:00.000000000).

What should I do to extract it properly? Is there another way to extract 1 second piece of a dump using non-interactive console (within a script)?

asked 10 Jul '15, 22:44

rusyarr's gravatar image

rusyarr
1224
accept rate: 0%

edited 10 Jul '15, 22:50


2 Answers:

0

tshark -r $suff.pcap.gz -Y "frame.time_relative <= 1" -q -w $host4dump.1sec.cap did the trick.

So the question alters What's the difference beetween -R -2 and Y? Because only gathered statistics with -R option corresponds the statistics in wireshark. I mean eg statistics like this:

tshark -r $suff.pcap.gz -R "frame.time_relative <= 1" -2 -q -z smpp_commands,tree >> $suff.txt

answered 10 Jul '15, 23:55

rusyarr's gravatar image

rusyarr
1224
accept rate: 0%

0

For your original question:

What tshark/wireshark version are you running? I tried that command and did not get a time value of 0. (if by "time value" you mean Arrival Time or Epoch Time)

Can you post your capture file somewhere?


For your second question of what the difference is between -R -2 and -Y:

For both Wireshark and tshark, when they read the contents of a capture file they build an internal list of the frames (i.e., packets) in it. When you apply a display filter, it filters out packets from that list, to only show you the things that matched the display filter. With a display filter applied, the frame numbers (packet numbers) you see in the left-most column will likely not be sequential, but will instead only be for the packets that matched the display filter. When you clear that display filter, all the frames show up again (in Wireshark obviously, since in tshark you can't clear it afterwards since there is no "afterwards").

But both Wireshark and tshark also support a read filter. A read filter is the same syntax/mechanics as a display filter, but is applied to the frames/packets in the capture file before they are put in that list, and only the packets which match the read filter are added to that list at all. Because it's applied before they're added to the list, the frame numbers you see will now be sequential, because the frame number is based on the position in the list, and only the packets that matched the read filter are in that list.

In tshark, the -R option is for a read filter, and the -Y option is for a display filter. In Wireshark, when you click on the "Open" button (or menu File->Open) to open a new file, in the Open-file dialog window you'll see a "Filter" text box where you can put a filter-type string - that's a read filter; whereas the one on the top of the GUI in the toolbar is a display filter.

The -2 option tells tshark to process the packets twice. This is necessary to handle some scenarios, like fragmented packets.

answered 11 Jul '15, 09:50

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Tx, Hadriel! Everything has become clear now!

(14 Jul '15, 00:51) rusyarr