This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to preserve timestamps in tshark output file?

I'm using tshark to extract specific TCP streams and write that to an output pcap file using the -w option.

But, the frames in the output pcap do not have any timestamps or delta times (they're all zero while in the original pcap there are timestamps and delta times for the frames).

Is there any way to ensure that the original timestamps (from the original pcap file) are preserved in the output pcap?

I'm using TShark 1.10.5 (SVN Rev 54262 from /trunk-1.10) on MacOS. Here's what I'm doing:

tshark -r test.pcap -2 -R "tcp.stream == 53" -w test_53.pcap

Thanks!

timestamp pcap tshark output

asked 10 Feb '14, 18:35

wwwalker
21●2●2●6
accept rate: 0%

One Answer:

the frames in the output pcap do not have any timestamps or delta times (they're all zero while in the original pcap there are timestamps and delta times for the frames).

That is what is technically known as a "bug". Please file it as a bug on the Wireshark Bugzilla; if you can attach your original pcap file for testing purposes, that would be good. (If not, please run the file command on it and show the results, just so we know what file type the input file is - it might, for example, be a pcap-ng file rather than a pcap file, the .pcap nonwithstanding).

answered 10 Feb '14, 21:02

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

Thanks, here's the bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9747

(11 Feb '14, 15:32) wwwalker