This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter expression

0

I am studying the frame timing for a real time control system. For example, frames should go out every 1msec. I could filter the frames that are off-sync by 100usec early to 100usec late using this type expression: ((frame.time + 0.0001) MOD 0.001) < 0.0002 Or with integer math (((frame.time * 1000000) + 100) MOD 1000) < 200 Is there a way to enter this type math expression in the filter editors?

asked 16 Mar '11, 20:45

Rich%20S's gravatar image

Rich S
1111
accept rate: 0%

One Answer:

0

Doing math in a display filter is not possible. The closest you can get to what you want is to look at the frame.time_delta. You can then look at the interpacket time with:

frame.time_delta<0.0002

However, with a little scripting you can achieve what you want with tshark:

tshark -r file.cap -T fields -e frame.number -e frame.time_relative -e ... |\
   awk '{if(((($2 * 1000000) + 100) % 1000) < 200) {print}}'

Which produces the following output (random capture file in my collection):

1   0.000000000
6   0.249992000
7   0.250094000
14  0.374920000
15  0.375024000
29  0.462919000
33  0.500003000
43  0.750010000
48  0.760090000
50  0.760957000

answered 17 Mar '11, 00:44

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%