Wireshark-users: Re: [Wireshark-users] filtering in non-GUI mode
From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Tue, 21 Jul 2009 20:04:07 +0900
Hi,

Sorry, I found the following options in editcap:

-A  <start time>
           Saves only the packets whose timestamp is on or after start time.  The time is given in the following format YYYY-MM-DD HH:MM:SS

-B  <stop time>
           Saves only the packets whose timestamp is on or before stop time.  The time is given in the following format YYYY-MM-DD HH:MM:SS

But is the format YYYY-MM-DD HH:MM:SS compared to the corrected datetime on the machine I am running editcap? I mean, tcpdump corrects readable (non-epoch) timestamps according to timezone. Should I compare to these corrected values? Or to the UTC values?

Thank you,
Andrej