Wireshark-users: Re: [Wireshark-users] Question about frame.time_delta_displayed filter
Frank Pall wrote on Thu, 5 Feb 2009
03:27:35 -0800 (PST):
> i am analyzing a huge amount of
packets,and i am interested in the usage of the frame.time_delta_displayed
filter,
> but i am honestly not understanding
what's happening...
There's a clue in the name. The field
frame.time_delta_displayed depends on the previous frame that's displayed,
which depends on the display filter. So it's not useful in a display filter
because it changes its own data. It is useful in coloring rules and in
menu Edit > Find Packet > by Display Filter.
Use frame.time_delta instead. That's
the difference from the previous frame in the capture file.
> 2)i set the first sample as time
reference
That's not relevant with frame.time_delta.
> PS:Just an additional off-topic
question:is there some tool capable of building chart on captured packets?
Try Wireshark. Spend some time exploring
the Statistics menu, see if anything there does what you want. If not,
you could export to a spreadsheet. Wireshark and Tshark have several export
options. I find Tshark -Tfields -ewhatever_field_you_want very useful:
"C:\Program Files\Wireshark\tshark"
-rfilename.pcap -Tfields -eframe.number -eframe.time_delta -eip.src -ewhatever...>filename.txt
(That's on Windows, with typical installation.)
There are many other tools that might
be useful. The libpcap file format is very popular. Try a search like "libpcap
tools".
Julian.
