I'm trying to print out various fields from a PCAP containing HTTP traffic. One of the columns should be the timestamp in the ISO 8601 format (YYYY-MM-DD hhmmss).
Also, if anyone has a full list of fields that work under -e, that would be awesome (eg, ip.src, frame.time, etc).
Just as an example, I'm starting from a couple angles:
tshark -r out.pcap -R "tcp.port==80" -o column.format:"Packet,%m,Time,%t,Info%i"
tshark -r out.pcap -R "tcp.port==80" -T fields -e frame.time
Did you try the following:
tshark -r out.pcap -R "tcp.port==80" -o column.format:"Packet,%m,Time,%Yt,Info,%i"
... or the more modern versions as either:
tshark -r out.pcap -2R "tcp.port==80" -o gui.column.format:"Packet,%m,Time,%Yt,Info,%i"
or:
tshark -r out.pcap -Y "tcp.port==80" -o gui.column.format:"Packet,%m,Time,%Yt,Info,%i"
The key there is to use %Yt instead of %t, which uses YYYY-MM-DD hhmmss. format. If you want UTC, then use %Yut. Other formats are available as well.
Note that:
Prior to Wireshark commit r52627 to resolve Wireshark Issue 9272 - column format strings are only documented in source code, the column formats were only documented in the source code itself (i.e., in epan/column.c); however, after that revision, you can run tshark -G column-formats to view them.
(That revision is only currently available in the development version of Wireshark though. Regardless, you can still use the source code itself as a reference. If you'd like to download the development release, visit the Wireshark download page.)
To answer your second inquiry, namely "if anyone has a full list of fields that work under -e, that would be awesome", you can refer to the Wireshark display filter reference page. Basically, any named field can be used.
