This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Any way to use frame.time_delta_displayed in a filter?

0

I'm working with a capture file in which a particular conversation suffers from a periodic interruption. I'd like to be able to use that delay in a display filter, but it just doesn't seem to work when I'm dealing with one conversation among many. I've tried:

tcp.stream eq 12 && frame.time_delta_displayed > 5.0

and

tcp.stream eq 12 && frame.time_delta_displayed == 6.671905000 (from Copy -> as Filter in Details)

but both yield empty results. Now, I can save that conversation to a separate file and then use:

frame.time_delta > 5.0

so my immediate need has been met. Is there any other filter that would select such packets WITHOUT the need to isolate the conversation in a separate file?

asked 07 May '12, 13:36

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%

One Answer:

2

Yes, you can enable TCP conversation timestamps (go to the TCP protocol preferences) and then use:

"tcp.time_delta > 5.0"

(no need to select one particular TCP stream, unless you are interested in one particular stream of course).

answered 07 May '12, 14:53

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 07 May '12, 14:54

Perfect - many thanks!

(08 May '12, 07:16) wesmorgan1