asked 30 May '11, 07:22
Timestamps are retrieved from the libpcap/winpcap library, which in turn get the timestamp from the OS kernel.
This may be oversimplified for what you actually need but...
if you are using tshark you could use:
tshark -i (interface#) -T fields -e frame.time -e (whatever other fields you want to display)
For capturing, time stamp is already included in every packet, but you can output different formats using parameters as follows:
tshark -i (interface#) -t ad (absolute date and time) or -t a (absolute time) or -t r (relative time between 1st and current packet) or -t d (delta from previous packet) or -t dd (displayed delta) or -t e (epoch time since 1/1/1970).
Hope this is helpful,
answered 02 Jun '11, 06:33