Two quick questions regarding the output from tshark in statistics mode.
Firstly is it possible to display the date/time of the start of a socket
pair when using -z conv,[tcp|udp]? The first occurrence in the file
would do, obviously it cannot be guaranteed that this is the "start" of
the socket pair for UDP at all or TCP unless the first SYN is present.
Secondly can the output of -z io,stat be told to display an absolute
date (from epoch in seconds if necessary) instead of relative ms? I
have many pcap files (and do not wish to join them) but I would like to
graph packet/byte throughput in a custom way (i.e. I want the data so I
can analyse or plot it myself). I'd like to do this across all files,
so relative to the first packet doesn't help.
Thanks!
David