Wireshark-users: Re: [Wireshark-users] how to print time with epoch formation by tshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 9 Jul 2008 17:17:02 -0700

On Jul 1, 2008, at 8:20 AM, Stephen Fisher wrote:

This is because the -t e option only applies to the normal timestamps
that tshark shows, not to the frame.time field.  The time format is
stored in the "recent" settings file.  The easiest way to change this
would be to open Wiresdhark and change the time format from the View -
Time Display Format menu if you have access to the GUI. You could also see if you have a ~/.wireshark/recent file and edit the gui.time_format
setting there.

Unfortunately, the gui.time_format setting *also* only applies to the normal timestamps that tshark shows, not to the frame.time field; recent.gui_time_format is only used in the GUI for the View menu item, the code to read and write the recent file, and a call to timestamp_set_type(); the argument to the "-t" flag is also used only in a call to timestamp_set_type(), so the View -> Time Display Format menu item in Wireshark is the equivalent of the "-t" flag in TShark.

In addition, TShark doesn't read the recent file, so changing it - whether from the Wireshark GUI or by manually editing it - won't make any difference.

So there's no way to cause the frame.time field to be printed as seconds since the epoch. The best that could be done with Wireshark 1.0 or earlier would be to do

	tshark -t e -z proto,colinfo,XXXXXX,XXXXXX

which would append "XXXXXX == {value}" to the Info column for those packets that have an XXXXXX field.

With the 1.0.1 or current SVN version of Wireshark, you can, on UN*X, do something such as

	tshark -t e -o 'column.format:"Time", "%t", "XXXXXX", "%Cus:XXXXXX"'

to get TShark to print out two columns, one with the time stamp and one with the XXXXXX field.

On Windows, I leave it as an exercise to the reader to figure out whether it's possible, with the cmd.exe command interpreter, to pass to a command a single argument that

	1) includes spaces

and

	2) includes a bunch of double-quoted strings.

If it's not possible, you might have to install Cygwin and do it from a UN*X shell, or possibly do it from the Windows PowerShell:

	http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

if it's present in your version of Windows, or can be installed on your version of Windows from the download, and can be convinced to do that.