This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

UTC time with -T fields

1

Am I missing something or is there really no UTC option for the -T fields call?

I know you can get UTC time normally with "tshark -r C:\infile.pcap" but I need more specific headers than what the summary info can provide and -e frame.time is only passing local time. I am analyzing pcap files from all over the country, so I can't set a standard rule like frame.time +- TZ. The only thing I can think of doing is doing 2 separate calls:

tshark -r C:\infile.pcap -c 1

tshark -r C:\infile.pcap -T fields -e frame.time_relative -e blah blah

and then programmatically adding the relative time to the first packet time gained in the first tshark call.

But there has to be a better solution then this, right? tshark wouldn’t leave UTC time out when you can set a field for it in Wireshark and you can get it without calling -T fields?

Thanks guys,

Update -

Does anyone know if you need wireshark or anything releated to wireshark (other than tshark) to use the call:

tshark.exe -r C:\Users\zmcpher\Desktop\1.pcap -o “gui.column.format:"UTC Time","%Aut"

This seems to do what I need - so Im hoping it will works with only tshark libraries.

asked 15 Mar ‘14, 10:18

Nefarii's gravatar image

Nefarii
31449
accept rate: 100%

edited 15 Mar ‘14, 11:53

It doesn’t look like it depends on the GUI code at all - just the preferences code; but you should try it on a target system.

(15 Mar ‘14, 12:40) Hadriel

3 Answers:

2

You mean like one of these?:

tshark -t u
tshark -t ud

answered 15 Mar '14, 11:29

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Oops... answer collisions. :)

(15 Mar '14, 11:30) Hadriel

Ive tried -t, but I cant seem to use it in conjunction with -T

(15 Mar '14, 11:41) Nefarii

In what way? What fields are you trying to extract?

(15 Mar '14, 11:46) Hadriel

Hmm, it seems that the online tshark man page is missing the -t u and -t ud options.

(15 Mar '14, 14:01) cmaynard ♦♦

Should have been... unless it was missed somehow by bug 8906?

(15 Mar '14, 14:33) Hadriel

Well it's definitely in the real man pages installed. I wonder where the online ones come from. (buildbots?)

(15 Mar '14, 14:42) Hadriel
showing 5 of 6 show 1 more comments

2

This might help:

tshark -r C:\infile.pcap -T fields -e frame.time_epoch -e blah blah

answered 11 Jul '16, 02:58

arashdalir's gravatar image

arashdalir
51126
accept rate: 0%

1

You could use something very similar to the answers I provided for these 2 questions:

In your case, add either "UTC date and time" or "UTC time" and name the column something like UTCDateTime or UTCTime, respectively, and then you can use:

tshark -r C:\infile.pcap -T fields -e col.UTCDateTime -e blah blah

answered 15 Mar '14, 11:25

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Sorry, I should of mentioned this - I have tshark bundled with one of my scripts, so you have to assume that wireshark is not installed on any of the PC's that will be runnning the script. So the -e col wont work

(15 Mar '14, 11:39) Nefarii