This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark time format

1
1

Hi

I add a column using Edit -> Preferences -> Columns. The column that I want to add is the "Absolute date and time" column. with a title "AbsTime", but it doesn't work for me, I get this error :

tshark -r khadidja.pcap -T fields -e frame.number -e col.AbsTime

tshark: Some fields aren't valid: col.AbsTime

can you help me please :)

asked 13 May '16, 06:56

Khadidja%20Khadidja's gravatar image

Khadidja Kha...
415611
accept rate: 0%

One Answer:

0

As of Wireshark 1.12.0, released on July 31, 2014, all the column fields need to be prefixed with _ws., so you would need to use the following instead:

tshark -r khadidja.pcap -T fields -e frame.number -e _ws.col.AbsTime

answered 13 May '16, 07:54

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks, it's work perfectly :)

(13 May '16, 08:00) Khadidja Kha...
1

As also shown in the tshark help output, although you do have to infer it from the comment:

-e <field>               field to print if -Tfields selected (e.g. tcp.port,  
                         _ws.col.Info)                                        
                         this option can be repeated to print multiple fields
(13 May '16, 08:32) grahamb ♦