Wireshark-users: Re: [Wireshark-users] tshark display filter / time

From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Sun, 30 Oct 2011 16:48:24 +0100
Hi Stuart,

Use frame.time_delta and frame.time_relative:
$ tshark -r Copylmt_04.pcap -T fields -e frame.number -e frame.time_delta
-e frame.time_relative -E header=y | head
frame.number    frame.time_delta        frame.time_relative
1       0.000000000     0.000000000
2       0.160305000     0.160305000
3       0.000057000     0.160362000
4       0.000197000     0.160559000
5       0.261759000     0.422318000
6       0.272807000     0.695125000
7       0.000706000     0.695831000
8       0.000069000     0.695900000
9       0.000630000     0.696530000

My best
Joke

On Sun, 30 Oct 2011 07:03:50 -0700 Stuart Kendrick wrote:
>How do I persuade tshark to display both Relative Time and Delta Time?
>
>Obviously, 'time.delta' and 'time.relative' don't mean much ...
>
>guru> tshark -r sample.pcap -T fields -e frame.number -e time.delta -e time.relative
>-e ip.src -e ip.dst
>
>frame.number  time.delta  time.relative  ip.src         ip.dst
>1                                        10.12.5.123    10.12.18.116
>2                                        10.12.18.116   10.12.5.123
>3                                        10.12.5.123    10.12.18.116
>4                                        10.12.18.116   10.12.5.123
>
>--sk
>
>Stuart Kendrick
>FHCRC