This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using Tshark, can I extract the frame.time field from a .pcap file in a format different from the format shown in Wireshark?

I have a .pcap file which displays time (i.e. Arrival Time (for Wireshark and frame.time field for Tshark) in the top/physical/Frame layer) in the Apr 3, 2015 16:58:46.461897000 PDT.

I want to get this time in ISO format, like 2007-09-01 04:10:58.

Please note that I am not going to take a capture. I already have a capture file. I want to use Tshark to extract the field frame.time (which corresponds to Arrival Time in the top network layer in Wireshark) in a format like 2007-09-01 04:10:58, rather than a format like Apr 3, 2015 16:58:46.461897000 PDT.

Can I do that? How?

timestamp frame.time frame.time.delta tshark wireshark

asked 28 Sep '16, 23:59

Jesss
51●14●17●20
accept rate: 0%

Does this answer lack some information?

(29 Sep '16, 01:48) sindy

@sindy Yes, that solution involves adding an extra column and then taking the capture again. I can't take the capture again. I already have the captured data in the form of a .pcap file. Using Tshark, I have to read it and output the time in ISO format. (something like tshark -r myFile.pcap -T field -e frame.time > output.csv)

(29 Sep '16, 02:03) Jesss

The capture is not taken again. The Wireshark gui is used to add a column to the preferences which is then available for use by tshark.

If you're not specifying individual fields you can use -t ad or -t ud as shown in the tshark man page.

(29 Sep '16, 02:45) grahamb ♦

Running tshark with -r existing_capture_file_name instead of -i interface_name makes tshark read the existing file instead of taking a live capture and process it, according to the rest of the command line parameters, the same way as if it was a live capture.

(29 Sep '16, 07:49) sindy