Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10220] New: add ISO 8601 date format option to tshark -T fields (FT_ABSOLUTE_T

Wireshark-bugs: [Wireshark-bugs] [Bug 10220] New: add ISO 8601 date format option to tshark -T f

Date: Mon, 23 Jun 2014 16:33:57 +0000

Bug ID	10220
Summary	add ISO 8601 date format option to tshark -T fields (FT_ABSOLUTE_TIME type fields)
Classification	Unclassified
Product	Wireshark
Version	1.12.0
Hardware	All
OS	All
Status	UNCONFIRMED
Severity	Enhancement
Priority	Low
Component	TShark
Assignee	[email protected]
Reporter	[email protected]

Build Information:
TShark 1.12.0-rc2 (v1.12.0-rc2-0-gfd017ee from master-1.12)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with
SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, without Python, with GnuTLS 3.1.22,
with Gcrypt 1.6.0, without Kerberos, with GeoIP.

Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap.
      Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz, with 8133MB of physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219
--
At present, tshark doesn't have the ability to format -T fields data items of
type FT_ABSOLUTE_TIME, such as "-T fields -e frame.time" in ISO 8601 format
(http://en.wikipedia.org/wiki/ISO_8601), without first manually creating a
custom column in the Wireshark user interface. Creating a custom column in
Wireshark is not practical when using a headless environment or when the user
needs to get many different FT_ABSOLUTE_TIME fields from tshark.

I recommend either making ISO 8601 the default format for tshark
FT_ABSOLUTE_TIME fields, or adding a -E option such as "-E dateformat=iso8601"

Current behavior as of tshark 1.12.0-rc2:
tshark -T fields -e frame.time
"Jun 23, 2014 09:53:03.656998000 Mountain Daylight Time"
"Jun 23, 2014 09:53:04.546606000 Mountain Daylight Time"

Desired behavior:
tshark -T fields -e frame.time -E dateformat=iso8601
"2014-06-23 09:53:03.656998000-0600"
"2014-06-23 09:53:04.546606000-0600"

Benefits to producing ISO 8601 formatted values:
1. Many 3rd party tools support parsing ISO 8601 formatted datetime values.
2. Because ISO 8601 does not contain a comma, there is less of a need to
automatically enclose FT_ABSOLUTE_TIME fields in quotes.
3. Values can be sorted correctly in time with a simple alphabetical sorting
because the sub-fields are ordered from the most to the least significant.
4. Fixed width formats are easier to parse (the latest tshark datetime format
for FT_ABSOLUTE_TIME fields contains a non-fixed-width timezone portion)
5. ISO 8601 is more compact than the current tshark output format.

I would also ask for an option to output datetime fields in the UTC timezone
regardless of the local system timezone setting (e.g. "-E timezone=UTC"), but
that could be a separate feature request.

You are receiving this mail because:

You are watching all bug changes.

Prev by Date: [Wireshark-bugs] [Bug 7393] ISO8073 COTP protocol - ED-TPDU data part not decoded
Next by Date: [Wireshark-bugs] [Bug 10221] New: Scrollbar-mode 'normal' results in infinite GTK error messages.
Previous by thread: [Wireshark-bugs] [Bug 7870] Packaging: Let MAKEDIR in quotation marks to fix packageing error at WINDOWS
Next by thread: [Wireshark-bugs] [Bug 10221] New: Scrollbar-mode 'normal' results in infinite GTK error messages.
Index(es):
- Date
- Thread