This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark - How to output date in ISO format?

2

Hi,

in Wireshark 1.10.5 on Windows I can select View | Time Display Format | Date and Time of Day and date is displayed in ISO date format e.g. "2014-02-25 13:20:11 740751000"

How to display the same format in tshark? I tried:

tshark" -r c:\myfile.pcap -T fields -e frame.time

but the output is : "Feb 25, 2014 13:20:11.740751000"

How to display ISO date format in tshark?

Thanks

asked 04 Mar '14, 05:18

dolphin500's gravatar image

dolphin500
46349
accept rate: 0%

edited 04 Mar '14, 05:22


3 Answers:

4

In that case, I'd suggest the following:

  • First, start Wireshark and add a column using Edit -> Preferences -> Columns -> Add. The column you most likely want to add is the "Absolute date and time" column. Give it a title, e.g.,"AbsTime".
  • Save the column preferences and exit Wireshark.
  • From the command-line, run tshark as follows

tshark.exe -Y "tcp.srcport==443" -r C:\myfile.pcap -T fields -E header=y -E separator=; -e frame.number -e col.AbsTime -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e col.Protocol -e frame.len -e col.Info

answered 04 Mar '14, 11:10

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

@cmaynard, excellent this works exactly as I want. Thanks a million.

By the way in Edit | Preferences | Columns | I have also unchecked at "AbsTime" in Display column, to not corrupt Wireshark view I like to have in GUI. So disabled column in Wireshark can still be references in tshark. Excellent. Problem solved.

(05 Mar '14, 02:05) dolphin500

@dolphin500

I've moved the comment by @cmaynard to its own answer as it seems to do the job. Can you please "accept" the answer by clicking on the check-mark icon for the benefit of other users.

(05 Mar '14, 03:09) grahamb ♦

Hi Chris - is there any way to get tshark to output ISO 8601 formatted dates when using -T fields without adding a column to Wireshark? I'd like to do this with "out of the box" tshark, so to speak, so that I could format any FT_ABSOLUTE_TIME field that way in tshark. Should I put in a feature request for this? Also, if I might be so bold, ISO 8601 should really be the default date/time output format for tshark. That would make subsequent parsing of tshark output much, much easier, since most tools out there support parsing of ISO 8601 dates.

(20 Jun '14, 14:59) CraigGarrett
1

is there any way to get tshark to output ISO 8601 formatted dates when using -T fields without adding a column to Wireshark?

Not that I'm aware of; however, after you add the column in Wireshark, you could make it a hidden column if you don't want it to actually appear in Wireshark, and it will still work.

As for the suggestion of changing the tshark default date/time output to use ISO 8601 date/time format, I'm not sure. What might be nice is if the tshark output format used the exact same Wireshark columns for the given profile, then you wouldn't need to specify each field via -T fields at all unless you wanted something different from the current profile.

(22 Jun '14, 10:10) cmaynard ♦♦

Hi Chris - thanks for the info! I'm concerned about headless environments, where I wouldn't have access to Wireshark at all, just tshark. I submitted a feature request:

add ISO 8601 date format option to tshark -T fields: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10220

(23 Jun '14, 09:39) CraigGarrett

For headless environments, you could also directly edit the preferences file, adding whichever columns you want. It can be a little tricky in that you have to know the exact syntax, but it might be an option.

(23 Jun '14, 10:45) cmaynard ♦♦

Hi

this is exactly what I want, but it doesn't work for me, I get this error

tshark.exe -Y "tcp.srcport==443" -r khadidja.pcap -T fields -E header=y -E separator=; -e frame.number -e col.AbsTime -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e col.Protocol -e frame.len -e col.Info

tshark: Some fields aren't valid: col.Info col.Protocol col.AbsTime

can you help me :)

(13 May '16, 06:00) Khadidja Kha...
2

As of Wireshark 1.12.0, released on July 31, 2014, all the column fields need to be prefixed with _ws., so you would need to use the following instead:

tshark.exe -Y "tcp.srcport==443" -r khadidja.pcap -T fields -E header=y -E separator=; -e frame.number -e _ws.col.AbsTime -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e _ws.col.Protocol -e frame.len -e _ws.col.Info
(13 May '16, 07:48) cmaynard ♦♦

Thanks, it's work perfectly :)

(13 May '16, 08:00) Khadidja Kha...
showing 5 of 9 show 4 more comments

2

You can do this by specifying the time column format using something such as:

tshark.exe -r C:\myfile.pcap -o "gui.column.format:\"Time\",\"%Yt\""

If you're using a recent enough version of Wireshark (anything post-r52627) then you can find all the column format options by running, "tshark.exe -G column-formats"; otherwise you can look in the source code in the epan/column.c file for them.

answered 04 Mar '14, 07:52

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

@cmaynard, your command works fine for the sample you have provided:

tshark.exe -r C:\myfile.pcap -o "gui.column.format:\"Time\",\"%Yt\""

but in output I would like to only specify the columns that I really need like for example:

tshark -r c:\myfile.pcap -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e col.Protocol -e frame.len -e col.Info -E header=y -E separator=;

How to display ISO-date format if only columns I need should be displayed and header and column separator is required?

P.S. Command tshark.exe -G column-formats returns an error "tshark: Invalid "column-formats" option for -G flag, enter -G ? for more help". Tshark version displayed by tshark -v command: "TShark 1.10.5 (SVN Rev 54262 from /trunk-1.10)" It looks like this command is currently available only from development builds.

Thanks

(04 Mar '14, 09:04) dolphin500

Info from: http://ask.wireshark.org/questions/29000/windows-7-problem-tshark and I so far I come to this command:

tshark.exe -Y "tcp.srcport==443" -r c:\myfile.pcap -o "gui.column.format:\"No.\",\"%m\",\"Time\",\"%Yt\",\"Source\",\"%s\",\"Destination\",\"%d\",\"Protocol\",\"%p\",\"Length\",\"%L\",\"Info\",\"%i\""

but still I don't get the same output like I would like to have. Like headers and column separator.

So above command outputs:

6 6.653501000 173.194.70.95 -> 192.168.1.66 TCP 60 443 > 2727 [ACK] Seq=1 Ack=42 7 6.653565000 173.194.70.95 -> 192.168.1.66 TLSv1.2 95 Application Data 10 7.654395000 173.194.70.95 -> 192.168.1.66 TCP 60 443 > 2747 [ACK] Seq=1 Ack=42 11 7.654462000 173.194.70.95 -> 192.168.1.66 TLSv1.2 95 Application Data 15 8.655955000 162.159.241.165 -> 192.168.1.66 TLSv1.2 95 Application Data

but I would like to have (my command from previous post with -T and -e option):

6;Mar 4, 2014 17:50:06.933239000;173.194.70.95;443;192.168.1.66;2727;TCP;60;443 > 2727 [ACK] Seq=1 Ack=42 7;Mar 4, 2014 17:50:06.933303000;173.194.70.95;443;192.168.1.66;2727;TLSv1.2;95;Application Data 10;Mar 4, 2014 17:50:07.934133000;173.194.70.95;443;192.168.1.66;2747;TCP;60;443 > 2747 [ACK] Seq=1 Ack=42 11;Mar 4, 2014 17:50:07.934200000;173.194.70.95;443;192.168.1.66;2747;TLSv1.2;95;Application Data 15;Mar 4, 2014 17:50:08.935693000;162.159.241.165;443;192.168.1.66;2748;TLSv1.2;95;Application Data

but second column date in ISO-format.

(04 Mar '14, 09:43) dolphin500

0

tshark -u s -t ad -o column.format:"Time, %t","Source, %s","Destination, %d","Protocol, %p","Info, %i" 2015-05-15 18:26:46.666890 10.12.1.2 -> 8.8.8.8 DNS Standard query 0xcf86 A www.rax.ru

tshark -u s -t ad -o column.format:"Time","%Cus:frame.time","Source, %s","Destination, %d","Protocol, %p","Info, %i" May 15, 2015 18:27:32.546288000 MSK 8.8.8.8 -> 9.9.9.9 TCP 25361

just enter -o column.format:"Time","%Cus:frame.time"

answered 14 May '15, 22:30

Stepan%20Yudin's gravatar image

Stepan Yudin
61
accept rate: 0%