On 12 nov 2010, at 18:08, Stephen Fisher wrote:
> On Fri, Nov 12, 2010 at 03:03:17PM +0100, Sake Blok wrote:
>
>> I would expect '-A "2010-11-08 20:00:00" -B "2010-11-09 00:00:00"' to
>> mean: All packets with a timestamp starting at "2010-11-08 20:00:00"
>> and *before* "2010-11-09 00:00:00".
>>
>> Does anyone object to me changing (correcting) the current behavior of
>> "-B" to what I would have expected?
>
> This matches what the help output (editcap -h) explains on the right
> side, although the term "stop time" is ambigious:
>
> -A <start time> don't output packets whose timestamp is before the
> given time (format as YYYY-MM-DD hh:mm:ss).
> -B <stop time> don't output packets whose timestamp is after the
> given time (format as YYYY-MM-DD hh:mm:ss).
>
> Thinking of it as letting Wireshark run while you're watching the time,
> when you see it reach the stop time, then you would stop the capture
> part way through that section, depending on your reaction time. So
> correcting it as you describe sounds fine to me, just make sure to
> update the help text.
"fixed" in SVN 34913
New editcap -h:
-A <start time> only output packets whose timestamp is after (or equal
to) the given time (format as YYYY-MM-DD hh:mm:ss).
-B <stop time> only output packets whose timestamp is before the
given time (format as YYYY-MM-DD hh:mm:ss).
Cheers,
Sake
