This is our old Q&A Site. Please post any new questions and answers at


When I try to extract like this:

tshark -r $suff.pcap.gz -R "frame.time_relative <= 1" -2 -q -w $host4dump.1sec.cap

I get what I want except for the fact that each packet has a time value 0.000000000(Jan 1, 1970 03:00:00.000000000).

What should I do to extract it properly? Is there another way to extract 1 second piece of a dump using non-interactive console (within a script)?

asked 10 Jul '15, 22:44

rusyarr's gravatar image

accept rate: 0%

edited 10 Jul '15, 22:50

tshark -r $suff.pcap.gz -Y "frame.time_relative <= 1" -q -w $host4dump.1sec.cap did the trick.

So the question alters What's the difference beetween -R -2 and Y? Because only gathered statistics with -R option corresponds the statistics in wireshark. I mean eg statistics like this:

tshark -r $suff.pcap.gz -R "frame.time_relative <= 1" -2 -q -z smpp_commands,tree >> $suff.txt
permanent link

answered 10 Jul '15, 23:55

rusyarr's gravatar image

accept rate: 0%

For your original question:

What tshark/wireshark version are you running? I tried that command and did not get a time value of 0. (if by "time value" you mean Arrival Time or Epoch Time)

Can you post your capture file somewhere?

For your second question of what the difference is between -R -2 and -Y:

For both Wireshark and tshark, when they read the contents of a capture file they build an internal list of the frames (i.e., packets) in it. When you apply a display filter, it filters out packets from that list, to only show you the things that matched the display filter. With a display filter applied, the frame numbers (packet numbers) you see in the left-most column will likely not be sequential, but will instead only be for the packets that matched the display filter. When you clear that display filter, all the frames show up again (in Wireshark obviously, since in tshark you can't clear it afterwards since there is no "afterwards").

But both Wireshark and tshark also support a read filter. A read filter is the same syntax/mechanics as a display filter, but is applied to the frames/packets in the capture file before they are put in that list, and only the packets which match the read filter are added to that list at all. Because it's applied before they're added to the list, the frame numbers you see will now be sequential, because the frame number is based on the position in the list, and only the packets that matched the read filter are in that list.

In tshark, the -R option is for a read filter, and the -Y option is for a display filter. In Wireshark, when you click on the "Open" button (or menu File->Open) to open a new file, in the Open-file dialog window you'll see a "Filter" text box where you can put a filter-type string - that's a read filter; whereas the one on the top of the GUI in the toolbar is a display filter.

The -2 option tells tshark to process the packets twice. This is necessary to handle some scenarios, like fragmented packets.

permanent link

answered 11 Jul '15, 09:50

Hadriel's gravatar image

accept rate: 18%

Tx, Hadriel! Everything has become clear now!

(14 Jul '15, 00:51) rusyarr
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 10 Jul '15, 22:44

question was seen: 2,134 times

last updated: 14 Jul '15, 00:51

p​o​w​e​r​e​d by O​S​Q​A