Wireshark-users: Re: [Wireshark-users] Getting duration when using tshark -z conv
Hi Jim,
Is this what you are looking for?
You can use -o column.format for various time formats:
tshark -o column.format:""No.", "%m", "Time", "%Yt", "Time", "%Tt", "Time",
"%Rt", "Protocol", "%p", "Length", "%L"" -z conv,tcp -r test.cap > test2.txt
Output:
1 2008-09-12 20:48:14.296642 0.000000 0.000000 ARP 42
2 2008-09-12 20:48:14.296912 0.000270 0.000270 ARP 60
<snip>
13 2008-09-12 20:48:14.349701 0.000035 0.053059 TCP 54
14 2008-09-12 20:48:17.116150 2.766449 2.819508 TCP 54
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | |
-> | | Total |
| Frames Bytes | | Frames
Bytes | | Frames Bytes |
192.168.1.44:1286 <-> 209.85.129.99:80 5 3151 5
705 10 3856
================================================================================
For time formats take a look at:
http://anonsvn.wireshark.org/wireshark/trunk/epan/column.c
"%Yt", /* 1) COL_ABS_DATE_TIME */
"%At", /* 2) COL_ABS_TIME */
"%Tt", /* 11) COL_DELTA_TIME */
"%dct", /* 12) COL_DELTA_CONV_TIME */
"%Gt", /* 13) COL_DELTA_TIME_DIS */
"%Rt", /* 49) COL_REL_TIME */
"%rct", /* 50) COL_REL_CONV_TIME */
"%t", /* 58) COL_CLS_TIME */
To print other columns:
tshark -o column.format:""No.", "%m", "Time", "%Yt", "Time", "%Tt", "Time",
"%Rt", "Source", "%s", "Destination", "%d", "Protocol", "%p", "Info", "%i",
"Length", "%L"" -z conv,tcp -r test.cap > test.txt
You can use capinfos for a summery:
$ capinfos -aeu test.cap
File name: test.cap
Capture duration: 2.819508 seconds
Start time: Fri Sep 12 20:48:14 2008
End time: Fri Sep 12 20:48:17 2008
HTH
Joan
On 12 Sep 2008 James Talbut wrote:
> I'm processing gigabyte packet captures and it takes about 6 hours to
> generate the conversation table in wireshark or about one hour using tshark.
> But the tshark table doesn't include the time columns.
> Is there any configuration for changing this?