0

I need to extract packets within certain time ranges from a large pcap. And I found editcap's -A and -B option a perfect fit for this task except my target time ranges are in epoch time and -A/B requires time in format YYYY-MM-DD HH:MM:SS.

My question is when I convert epoch time to YYYY-MM-DD HH:MM:SS, what time zone should I use? (I am not sure if this is relevant but the large pcap I use is a merge of smaller pcaps captured from differnt time zones).

I tried tshark which allow filtering based on epoch time (frame.time_epoch>=X) but tshark seems to be resouce expensive and get constantly killed by the ubuntu server I used.

Will appreciate any help!

hguo
  • 5
  • 2
  • 1
    Use your system's time. You can check this on unixy systems with `date +"%Z %z"` – Ross Jacobs Oct 05 '19 at 02:15
  • Thanks for the reply! Just to get a better sense how this works: am I right that the capture timstamps are stored as epoch time in pcap internally and thus once the system time I feed into editcap get converted into epoch time, editcap can extract the right packets no matter which time zone the packets are captured from? – hguo Oct 05 '19 at 04:43

1 Answers1

0

Use your system's time.

100% correct. The time is parsed and then fed to a routine (mtkime()) that converts a year/month/day/hour/minute/second value, in local time in the machine's timezone, to POSIX time ("Epoch time", where the "Epoch" is the UN*X/POSIX Epoch of 1970-01-01 00:00:00 UTC).

am I right that the capture timstamps are stored as epoch time in pcap internally

Yes.

and thus once the system time I feed into editcap get converted into epoch time, editcap can extract the right packets no matter which time zone the packets are captured from?

Yes.

user12175407
  • 26
  • 1