This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to control frame.time format in tshark?

0

Hi, I have a pcap file and I have converted it to a csv file by tshark command and load it into a table in MySQL database.

tshark -r normal1.pcap -T fields -e frame.number -e frame.time -e frame.len -e ip.version -e ip.hdr_len -e ip.len -e ip.flags -e ip.dst -e ip.src -e ip.proto -e _ws.col.Protocol -e ip.ttl -e tcp.dstport -E header=y -E separator=, -E quote=d -E occurrence=f > D:\distancce\captures\normal\normal1.csv

Everything works okay, but I have a problem in frame.time field It does not appear in the database and instead appear zeros, Although in the csv file does not exist zeros there is a time format like this

"May 12, 2016 10:49:12.648156000 Paris, Madrid (heure d'été)"

how I can get a time format in the data base like time format in csv file.

thanks in advance.

asked 12 May '16, 11:10

Khadidja%20Khadidja's gravatar image

Khadidja Kha...
415611
accept rate: 0%

edited 24 May '16, 13:23

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

One Answer:

1

Edit:

withdrawing what I've posted as an Answer, as the correct Answer can be found here.

Put this way it is almost a "not a Wireshark question", and worse than that, it is even not a question which could be answered completely, because it lacks information about the date&time format used by the database.

As things stand right now, you cannot influence what format tshark will use to print the frame.time value, as the -t option only changes the format used to display the value of this field in packet summary headers. This is maybe worth filing a bug with severity level "enhancement".

So for the time being, you'll need to use some post-process of the output of tshark to convert the timestamp format output by tshark to a format the database understands.

NB: even if the enhancement mentioned above would be implemented, the current implementation of the -t option is a choice from several pre-defined formats. So if none of them matches the expectations of the database, which is quite likely to be true, you'd still need a post-process.

answered 12 May '16, 13:48

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 13 May '16, 10:58

thanks :).

(19 May '16, 14:44) Khadidja Kha...