Ed Flecko wrote:
> I see from the newsgroup that it's possible for me to filter the
> displayed packets within a time range by doing something like:
>
> frame.time >= "Aug 1, 2001 00:52:34" && frame.time <= "Aug 1, 2001
> 00:55:34"
>
> My question is: can I filter and then display the captured packets by
> using only a time range and not a date range? For example, I have a
> capture that spans several days but I want to only see the packets
> captured between 4:00-8:00 am. on all days of the capture. Is this
> possible? Is there a wildcard character that I can use in ethereal in
> place of the actual date.
No. The date and time are internally represented as seconds and
nanoseconds since January 1, 1970, 00:00:00 GMT, and we only support
comparisons on the entire value.
> Or, in a worse case scenario, can I do something like:
>
> frame.time >= "Aug 1, 2001 00:52:34" && frame.time <= "Aug 1, 2001
> 00:55:34" && frame.time >= "Aug 1, 2001 00:57:34" && frame.time <=
> "Aug 1, 2001 00:59:34" ???
>
> I tried something very similar to this, and it didn't seem to work. It
> didn't produce an error message, it just didn't work.
It probably *did* work. The filter you give would show you every packet
that arrived at or after August 1, 2001, 00:52:34 but also arrived before
or at August 1, 2001, 00:55:34 and also arrived at or after August 1,
2001, 00:57:34.
How many packets can arrive before or at 00:55:34 on a given day and also
arrive at or after 00:57:34 on the same day (in the same reference
frame...)? :-)
Try, instead:
(frame.time >= "Aug 1, 2001 00:52:34" && frame.time <= "Aug 1, 2001
00:55:34") ||
(frame.time >= "Aug 1, 2001 00:57:34" && frame.time <= "Aug 1, 2001
00:59:34")
I.e., packets that arrive in the first range *OR* that arrive in the
second range, not that arrive in the first range *AND* arrive in the
second range (which, if the two ranges don't overlap, means "no packets").