When i gave following command on ubuntu tshark -2 -F pcap -r tcpdump.pcap -R "tcp and ip" -w write.pcap 1) used -F pcap option i want e.pcap in old pcap format. problem/issue :- When i open write.pcap it has loosed his old time/date i.e. tcpdump.pcap in its Time column is having 26 July 2014 with some time 10.12.34 , but in write.pcap it comes to 1970-01-01 with time 00.00.00 in Time column. If i use -w option i will give raw packet but why it is loosing Time from it. i.e. i want my Time to be intact rather that going to default time. Is any way to correct this situation with option or anything else. asked 01 Sep '14, 18:30  Ravi1 |
One Answer:
Looks like the same (or similar) error that was reported in another question: Regards answered 23 Oct '14, 11:58  Kurt Knochner ♦ |
What version of Wireshark is this? (What does
tshark -vprint?)[email protected]:~$ tshark -v print TShark 1.10.6 (v1.10.6 from master-1.10)
Copyright 1998-2014 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.39.91, with libpcap, with libz 1.2.8, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP.
Running on Linux 3.13.0-32-generic, with locale en_US.UTF-8, with libpcap version 1.5.3, with libz 1.2.8. Intel(R) Core(TM) i5-3437U CPU @ 1.90GHz
Built using gcc 4.8.2. [email protected]:~$
We'd probably need to see the original capture file to reproduce the problem. You might consider first upgrading to the latest version (currently 1.12.1) and if that doesn't help then open a bug report (it's easier to attach files there).