1

i have one big pcap files and my objective is to extract only certain timestamp period of the traces (for example, the dataset time start from 0 to 200, but i only want between 50 - 100 seconds).

i tried to use editcap tools and use this command

 editcap -A "50.000000000" -B "100.000000000"  input_file output_file

since my dataset time field shows this format. The problem is, it give error

"editcap: "50.000000000" isn't a valid time format"

i tried in other way, for example, according to wireshark website, the format should be like this and also end with the same error. 

The time is given in the following format YYYY-MM-DD HH:MM:SS

Some of the discussed solution in net is to use quote but also give me the error

"YYYY-MM-DD HH:MM:SS"

The question is, what is the real format to use the editcap tool to fulfil my objective above.

user3085445
  • 95
  • 2
  • 10

3 Answers3

1

As the dates of your capture are in UTC time and then may differ from what you see, use the two following commands:

>> capinfos -a -e 201609011400.pcap 
File name:           201609011400.pcap
Packet size limit:   inferred: 34 bytes - 96 bytes (range)
Start time:          Thu Sep  1 07:00:00 2016
End time:            Thu Sep  1 07:15:00 2016
>> editcap -A "2016-09-01 07:00:00" -B "2016-09-01 07:05:00" 201609011400.pcap 201609011400_1st_third.pcap
Utopia
  • 278
  • 1
  • 3
  • 19
0
editcap  -A "2006-12-15 13:17:10" ...

worked fine for me (on Windows).

Note: You must use the times as displayed by tshark using the -tad option (without the fractional second).

That is: specifying sub-seconds ( 2006-12-15 13:17:10.1234 ) will ignore the sub-seconds part.

willyo
  • 961
  • 7
  • 9
0

You may try tshark this way, instead of using editcap:

$ tshark -r input.pcap -R "frame.time_relative >= 50 && frame.time_relative <= 100" -w output.cap
user1556814
  • 573
  • 6
  • 19