Wireshark-bugs: [Wireshark-bugs] [Bug 9747] New: Timestamps not preserved in tshark output file
Date: Tue, 11 Feb 2014 17:27:35 +0000
Bug ID 9747
Summary Timestamps not preserved in tshark output file
Classification Unclassified
Product Wireshark
Version 1.10.5
Hardware x86
OS Mac OS X 10.8
Status UNCONFIRMED
Severity Normal
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter walkerjunk56@yahoo.com

Created attachment 12551 [details]
zip file containing 3 pcaps as described in the bug description

Build Information:
TShark 1.10.5 (SVNRev 54262 from /trunk-1.10)

Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.36.0, with libpcap, with libz 1.2.3, without
POSIX
capabilities, without libnl, with SMI 0.4.8, without c-ares, without ADNS, with
Lua 5.1, without Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT
Kerberos, with GeoIP.

Running on Mac OS X 10.8.5, build 12F45 (Darwin 12.5.0), with locale
en_US.UTF-8, with libpcap version 1.1.1, with libz 1.2.5.
      Intel(R) Core(TM) i7-3615QM CPU @ 2.30GHz

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).
--
Timestamps are missing from a pcap created with tshark with the -w option.

I'm using tshark to extract specific TCP streams and write that to an output
pcap file using the -w option.

But, the frames in the output pcap do not have any timestamps or delta times
(they're all zero while in the original pcap there are timestamps and delta
times for the frames).

I'm attaching a zip file with 3 pcaps:
* flows-with-timestamps.pcap  (original pcap with timestamps)
* tcp-0-wireshark.pcap        (flow 0 exported via wireshark, has timestamps)
* tcp-0-tshark.pcap           (flow 0 exported via tshark, timestamps missing)

Here's the tshark command that I used:
tshark -r flows-with-timestamps.pcap -2 -R "tcp.stream==0" -w tcp-0-tshark.pcap


You are receiving this mail because:
  • You are watching all bug changes.