Hi Andrej,
The timestamps in the capture file.
You can run capinfos to display the statistics:
http://www.wireshark.org/docs/man-pages/capinfos.html
$ capinfos -ae test.pcap
File name: test.pcap
Start time: Fri Apr 03 06:16:26 2009
End time: Fri Apr 03 06:17:50 2009
$ editcap test.pcap test_editcap.pcap -A "2009-04-03 06:16:50" -B "2009-04-03
06:17:10"
(you have to use quotes)
$ capinfos -ae test_editcap.pcap
File name: test_editcap.pcap
Start time: Fri Apr 03 06:16:50 2009
End time: Fri Apr 03 06:17:10 2009
HTH
Joan
On Tue, 21 Jul 2009 20:04:07 +0900 Andrej van der Zee wrote:
>
>Hi,
>
>Sorry, I found the following options in editcap:
>
>-A <start time>
> Saves only the packets whose timestamp is on or after start
>time. The time is given in the following format YYYY-MM-DD HH:MM:SS
>
>-B <stop time>
> Saves only the packets whose timestamp is on or before stop
>time. The time is given in the following format YYYY-MM-DD HH:MM:SS
>
>But is the format YYYY-MM-DD HH:MM:SS compared to the corrected datetime
>on
>the machine I am running editcap? I mean, tcpdump corrects readable
>(non-epoch) timestamps according to timezone. Should I compare to these
>corrected values? Or to the UTC values?
>
>Thank you,
>Andrej
