how to include frame time in tshark when -O is used

Question

What option can I use to add frame time into following output?

[email protected]:~# tshark -ni bond0 -O tcp
Capturing on 'bond0'
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: f0:1c:2d:43:ee:27 (f0:1c:2d:43:ee:27), Dst: 5c:b9:01:8b:6f:3c (5c:b9:01:8b:6f:3c)
Internet Protocol Version 4, Src: 172.222.19.201 (172.222.19.201), Dst: 172.222.76.4 (172.222.76.4)
Transmission Control Protocol, Src Port: 8086 (8086), Dst Port: 54040 (54040), Seq: 1, Ack: 1, Len: 0
    Source port: 8086 (8086)
    Destination port: 54040 (54040)
    [Stream index: 0]

Answer 1

Try using -P. If your Wireshark columns include timestamps, they'll be displayed along with all the other columns. If you only want the frame time in the summary, then you'll have to explicitly specify the columns using the -o gui.column.format option, such as:

tshark -ni bond0 -O tcp -P -o gui.column.format:'"Time", "%t"'

... or on Windows:

tshark.exe -ni bond0 -O tcp -P -o gui.column.format:"\"Time\", \"%t\""

You can see the column formats by running, tshark -G column-formats. You can also see your existing Wireshark columns by looking in your preferences file for gui.column.format.

Answer 2

You cannot show frame time alone (because -T fields -e frame.time overrides the -O values), but you can use -O "tcp,frame" and get the whole frame pseudo-header.