Do you have an example of a text file for importing that has timestamps in the text file? I have tried the following with the %S format for Date/Time but the timestamp for all frames is displayed as 0.000000 in WireShark. asked 15 Sep '11, 08:40  kevinj edited 15 Sep '11, 14:56  SYN-bit ♦♦ |
3 Answers:
You can add date and time (but I don't know how to add microseconds). $ text2pcap -t "%Y-%m-%d %H:%M:%S" dump dump.pcap Input from: dump Output to: dump.pcap Wrote packet of 64 bytes at 0 Wrote packet of 64 bytes at 64 Wrote packet of 63 bytes at 128 Read 3 potential packets, wrote 3 packets answered 15 Sep '11, 12:06  joke |
Import time format is determent by strftime(3), see also man text2pcap and User's Guide. Trick is to add a dot after the %S (or %T for that matter) specifier. answered 16 Sep '11, 00:56  Jaap ♦ |
If you mean using text2pcap to import text files with timestamp information, then this is not yet supported, although this was filed as bug 1636 several years ago. answered 15 Sep '11, 10:47  cmaynard ♦♦ Based on the other answers, the bug you mentioned is no longer an issue (and should be closed). (16 Sep '11, 05:50) bstn The bug was filed because text2pcap does not properly handle/parse capture files exported to text with packet summary and/or details information included. As far as I'm aware, this is still the case. (16 Sep '11, 07:06) cmaynard ♦♦ Ok. However, it's evident (from @joke's answer) that text2pcap does support importing text files with timestamp information. (16 Sep '11, 07:17) bstn @bstn: the bug concerned is about writing out packet info from Wireshark into a text file, and later trying to import that. The Wireshark output does not adhere to od -Ax -tx1 layout, for which text2pcap was made. The bug report should be an enhancement request. (16 Sep '11, 07:36) Jaap ♦ In my view, it's not an enhancement request because I feel that Wireshark's own tools should be able to inter-operate with each other. If Wireshark is able to export a pcap file to text, then Wireshark's text2pcap tool ought to be able to convert it back to exactly the same pcap file as the original. But if you feel strongly that it should be an enhancement, then feel free to change it. (16 Sep '11, 07:45) cmaynard ♦♦ Enhancement or bug depends on the design goals. The manual page clearly states that text2pcap is intended to eat up octal dumps and spit out packet captures. It has some fancy stuff, like email comment marker digestion, #text2pcap inline directives and such. If it wouldn't do all this that would be a bug. If we think the tool should be able to do more/something else then there's a addition/change in design goals. That's an enhancement. Personally I don't care what this is called either way. As long as the tool does what people need it to do. (17 Sep '11, 02:58) Jaap ♦ For what it's worth, I have reclassified bug 1636 as an enhancement. (23 Sep '11, 13:34) cmaynard ♦♦ showing 5 of 7 show 2 more comments |
Or go to Wireshark directly.
Menu File|Import, select file name, check Data/Time and enter format string "%F %T" (which is equivalent to %Y-%m-%d %H:%M:%S). Click Ok and your done.