Wireshark-users: Re: [Wireshark-users] Changing timestamps

From: Trebor Sreyb <tsreyb@xxxxxxxxx>
Date: Thu, 3 Jan 2008 07:51:50 -0800 (PST)
FWIW - I solved my own problem. editcap is the wrong tool. I found that by using: 1. wireshark file > export and 2. text2pcap with the -t option, I was able to change individual timestamps to suit my needs.


----- Original Message ----
From: Trebor Sreyb <tsreyb@xxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Sent: Thursday, January 3, 2008 1:38:39 AM
Subject: [Wireshark-users] Changing timestamps

I'm in need of changing the timestamps of the packets in a pcap file.
 editcap has a global approach to this, where a range of packets can be
 applied the same time adjustment. However, I need to have much finer
 grained control.

So, I noticed wireshark will let me save my file as a text format
 called "k12text", which I then was able to modify using a tcl script that
 read the k12text file and rewrote it with new timestamps according to my

For example, my script increments the timestamp from one packet to the
 next by a default of 0.0000001s, with specific overrides for any packet
 of my choosing.

Then - I had hoped - I could read the k12text file into wireshark and
 do a file > save as, to ultimately save it as a pcap file again.

Problem is, it appears that a k12text file cannot be saved as a pcap
 (or most anything else). This was a huge disappointment, as I spent the
 time to write the tcl script and thought all was set. But alas I seem to
 be back at the drawing board.

Is there another approach I might take to accomplish this task?

Ultimately, the file will be imported into a 3rd party capture/replay
 tool, which understands libpcap files only. 

 Andover, MA usa

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.

Wireshark-users mailing list

Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping