Hi all I have a PCAP containing a message with fields of type UTC timestamp (7-bytes in length - YYYYDDMMHHMMSS format). When Wireshark dissect this message it properly displays the timestamp like ex: 19991212121212. Where as when dissected using tshark (used to export to CSV files) it diplays like "Jun 20, 107456758 10:19:19.1386439036 IST". I am not sure what is the reason behind this. I also observed that if i use tshark to just dissect (without using options to export to CSV files) then the format looks fine. I went through the man page for tshark and found that there is a option "-t" to specify the timestamp in the summary lines, i tried all the option but still observed same. Can anyone please let me know if i am missing something. I basically want both Wireshark GUI and tshark (used to export to CSV files) to display the same time format (UTC - 7-bytes in length - YYYYDDMMHHMMSS). tshark command used to export fields to CSV files is as below. /usr/bin/tshark -T fields -E separator=, -E header=y -E aggregator=~ -E quote=d -e <list of="" fields=""> -n -r <filename> > /tmp/details.csv Thank you Kiran Kumar G asked 03 Feb '16, 11:03  Kiran Kumar G |
One Answer:
You can't simply cast You'll have to create a variable of type Even having done that, I'm not sure that tshark will print the time formatted as you want, report back what happens. answered 30 Mar '16, 08:11  grahamb ♦ |
Can you share a Pcap (Google Drive, Dropbox etc.) containing the frame with the data in question?
Hi Graham
Sorry for the delay in reply.
The message to be dissected and having issue is dissected using my custom plugin. If i share the pcap file will you be able to dissect it ?. Can you please let me know if any other info i can share with you for analysis ? (picture, dissection snapshot etc).
Regards Kiran Kumar G
Without the plugin as well we won't be able to see the results of the dissection.
As it's a custom plugin, can you share the code, or if not, the fragment that reads the data from the field and adds it to the dissection results.
Hi Graham
I am providing the requirement with the code snippet used to get this done. Also, i am providing the output and the issue observed.
Requirement: Need to export dissected output of a message into CSV file (all fields of a message). Problem Statement: Some of fields of these messages are 7 bytes UTC timestamp (7-bytes in length - YYYYDDMMHHMMSS format). When Wireshark dissect this message it properly displays the timestamp like ex: 19991212121212. Where as when dissected using tshark (used to export to CSV files) it diplays like "Jun 20, 107456758 10:19:19.1386439036 IST".
Code snippet: Following is the code which is used to extract the 7 bytes and display in UTC time format.
struct utc_time { guint16 year; guint8 month; guint8 day; guint8 hour; guint8 minute; guint8 seconds; };void gd_dissect_UTC_time_data (tvbuff_t tvb, int offset, struct utc_time utc_time){
utc_time->year = tvb_get_ntohs(tvb, offset);.
utc_time->month = tvb_get_guint8(tvb,offset+2);
utc_time->day = tvb_get_guint8(tvb,offset+3);
utc_time->hour = tvb_get_guint8(tvb,offset+4);
utc_time->minute = tvb_get_guint8(tvb,offset+5);
utc_time->seconds = tvb_get_guint8(tvb,offset+6);
}
===========================================================
dissect_UTC_time_data (tvb, tvb_offset, &utc_time_data); proto_tree_add_time_format_value (gd_msg_tree, (temp_icd_proto_info_ptr->proto_hf_ptr[temp_msg_field_details_ptr->field_hf_ref_index].p_id), tvb, tvb_offset, temp_field_size, (nstime_t ) &utc_time_data, "%d%02d%02d%02d%02d%02d", utc_time_data.year, utc_time_data.month, utc_time_data.day, utc_time_data.hour, utc_time_data.minute, utc_time_data.seconds ); ===========================================================
Output: Displayed on Wireshark GUI. 1999121212121212 (YYYYDDMMHHMMSS)
Displayed when exported to CSV using tshark command. Feb 2, 590961086 22:29:56.1250822016 IST
It should have displayed like 1999121212121212 .. right ?
Please let me know if any more information is required.
Thank you. Kiran Kumar G