This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

edit wireshark timestamp

0

i know wireshark get time stamp for captured packet from system clock

i want to edit this timestamp for specific packets

when i use time shift option in edit menu it changes timestamp for all packets

i need to change time stamp for only one packet

other packet editing tools (for windows OS) allow to edit packet contents not timestamp given by wireshark

thank you

asked 20 Jun '15, 04:56

shady's gravatar image

shady
118813
accept rate: 0%

edited 20 Jun '15, 05:14


2 Answers:

2

Here is one possible solution, but there may be smarter ones.

Let´s assume the tracefile is called "timetest.pcapng". Open the trace file and note the timestamp of each packet you want to manipulate. Then export the trace as a "k12 text file". Open the new "k12 text file" and manipulate the timestamps you want. Then open the "k12 text file" in wireshark and export it as a pcapng file, e.g. "timeTest2.pcapng". Now you have to reorder the trace. You can do this with the following command:

reordercap timeTest2.pcapng timetestFinal.pcapng

answered 20 Jun '15, 15:18

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

it worked but when i open texe file with wireshark it gives my error message :

The capture file appears to be damaged or corrupt. (vwr: Invalid data length 2119269 (runs past the end of the record))

why?

(21 Jun '15, 14:40) shady

hm seems like you changed something more. You can have a look in my manipulated "k12 text file" with this link: Link to timeTest.txt

As you can see I have changed the time of the second frame. Are you able to open this file without errors?

(21 Jun '15, 15:22) Christian_R

Ok I think I got the fault you didn´t export the file as a "k12 text file". You have to export the file as a "k12 text file" to do this you have to do the following: open the following menu File -> Save as... And as a Filetyp you should select the entry "K12 text file" Then choose a filename and click the save button.

(21 Jun '15, 15:44) Christian_R

i did it thank you 1000000000 times

to be clear

choose export specified packets and choose k12 txt before you save then apply mentioned steps this will do the trick ((for time only not date ))

thank you again

(21 Jun '15, 15:48) shady

1

One option would be to use a HEX editor that is able to "decode" pcap files to modify the timestamps directly in the pcap file. See the following blog entry of @Jasper and the HEX editor mentioned therein (010 Editor with its PCAP template 'PCAPTemplate.bt').

https://blog.packet-foo.com/2015/04/deep-dive-frame-timestamps/#more-483

Another option would be to use 'special' pcap tools. WireEdit seems to get a timestamp modification feature soon (see Twitter). Besides that tool, you can use scapy to modifiy the timestamp, however it requires (decent) Python scripting knowledge (see google for examples: scapy modify timestamp).

Regards
Kurt

answered 21 Jun '15, 14:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

thank you for information i will try 010 editor

(21 Jun '15, 14:50) shady

010 editor gives me wrong timestamps its not clear for me but still

thank you very much for every thing :))

(21 Jun '15, 15:50) shady