[Guy Harris <gharris@xxxxxxxxx>]

On Wed, May 01, 2002 at 05:03:44PM +0930, Max Kristiansson wrote:
> Is it possible to export the time vector to be able to calculate the jitter
> of the packets captured with Ethereal?

Well, if *all* you want to look at is the time stamp of each packet -
i.e., not look at the packet data *at all* - it'd probably be easy to
write a program using libpcap to read an Ethereal capture file (as its
native capture format is libpcap format).

Note that the program could probably be written in Perl, using
Net::Pcap:

	http://search.cpan.org/search?module=Net::Pcap

or perhaps using similar packages for other scripting languages (Perl,
Ruby, etc.).

However, if you want to do more than that, e.g. only look at the time
stamps of some packets, it's a bit more work.

If the packets can be selected by a libpcap filter (the sort of filter
used for capturing in Ethereal), and you don't need to look at the
packet data except to check whether it's the right type of packet, you
could have the program in question specify a filter to libpcap.

If, however, they could only be selected by an Ethereal display filter,
you'd want to use tethereal to read the capture file and then write out
selected packets to a file, e.g. with

	tethereal -r {input file} -w {output file} -R {display filter}

and then run the program on the output file.

If, however, you'd need to look at the *contents* of the packets, you
could do that in the program - but you don't get the results of the work
Ethereal or Tethereal did analyzing the contents of the packets.

You could perhaps run

	tethereal -V -r {input file}

and parse the text output of that file, which would let you get the time
stamps and the results of Tethereal's analysis of the packets.