From: Sake Blok <sake@xxxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Sat, January 29, 2011 8:24:21 AM
Subject: Re: [Wireshark-users] tcp.time_delta column with tshark
On 29 jan 2011, at 16:52, j.snelders wrote:
> On Sat, 29 Jan 2011 00:26:40 -0800 (PST) vincent paul wrote:
>>
>> 1) I try to use tshark to export a capture into csv file. I use -T fields
>> -E
>> separator=, -e tcp.time_delta....... I could see other column data but
> not
>>
>> tcp.time_delta . Any idea.
>
> No, but it does print the frame.time_delta
> $ tshark -r test.pcap -T fields -E separator=, -e frame.number -e
frame.time_delta
In order to be able to use tcp.time_relative and tcp.time_delta, you will need to enable TCP timestamps. This is disabled by default (for performance optimization).
You can check whether tshark is using TCP timestamps:
$ tshark -G currentprefs | grep tcp.calculate_timestamps
tcp.calculate_timestamps: TRUE
$
If you want to enable them, use:
tshark -o cp.calculate_timestamps:TRUE -r <file> -T fields -e ... -e tcp.time_delta -e ...
Cheers,
Sake
___________________________________________________________________________
Sent via: Wireshark-users mailing list <
wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users mailto:
wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe