This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to get tshark to print Time column

0

I'm trying to use the following command:

tshark -n -i eth0 -T fields -e _ws.col.Time -e ip.src -e ip.dst ...

But the output does not display the Time. The ip.src column is moved over by a tab, compared to when _ws.col.Time is not specified. But the space is blank.

What gives?

Version: TShark 1.10.6 (v1.10.6 from master-1.10)

THX

asked 07 Apr '16, 14:42

mfox's gravatar image

mfox
6112
accept rate: 0%

One Answer:

0

It turns out that frame.time works. But _ws.col.Time does not -- at least for me.

answered 07 Apr '16, 22:35

mfox's gravatar image

mfox
6112
accept rate: 0%

Column names for use with -e used to be prefixed with col. but got changed to use _ws.col.. I'm not sure which version this occurred in, but if you check the output of tshark -h for the description of -e it will show col.Info or _ws.col.Info indicating which to use in that version.

(08 Apr '16, 06:15) grahamb ♦

The _ws. prefix was introduced starting with the 1.11.0 development release, which was announced on October 13, 2013. See the news article here: https://www.wireshark.org/news/20131015.html. The first stable release that introduced the _ws. prefix was 1.12.0, announced on July 31, 2014. Here's that news article: https://www.wireshark.org/news/20140731.html.

(08 Apr '16, 07:29) cmaynard ♦♦