Get first and last times from pcap file with Wireshark command line tools (like tshark)

3
votes

I have a huge collection of PCAP files, some of which have been "touched" since they were captured. This means the system timestamp on the file may not equate to the time of the data capture. Additionally, most of the files are autosaves from Wireshark, and sometimes the host computer doesn't get the data from the tap until after the capture time, so if this occurs just after a file autosaved, the next sequential file actually has captures prior to the end time of the previous file.

I have an automatic parser which uses tshark to go through these files. However, it takes about 2 minutes per file to run and I have tens of thousands of files, and I won't know that there's a timestamp issue until after it's run through the problem files.

Is there an easy way to grab the first "epoch time" and the last "epoch time" from a PCAP file using tshark (or another command line tool) without having to scan the entire file?

2
wiresharkpcapepochtshark

2 Answers

8
votes

No (not with tshark).

However, Wireshark provides a program, capinfos, which reads a capture file to obtain information about the capture file such start-time, end-time, number-of-packets, etc. (See the help for details).

capinfos does no dissection and so will be much faster than tshark.

$capinfos  -a -e wireless_080224_first.pcap.gz
File name:           wireless_080224_first.pcap.gz
First packet time:   2008-02-24 13:10:09.637336
Last packet time:    2008-02-24 13:40:23.026171

$capinfos  -T -r -a -e wireless_080224_first.pcap.gz
wireless_080224_first.pcap.gz   2008-02-24 13:10:09.637336      2008-02-24 13:40:23.026171

; Default output

$capinfos  wireless_080224_first.pcap.gz
File name:           wireless_080224_first.pcap.gz
File type:           Wireshark/tcpdump/... - pcap (gzip compressed)
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: 65535 bytes
Number of packets:   15 k
File size:           12 MB
Data size:           13 MB
Capture duration:    1813.388835 seconds
First packet time:   2008-02-24 13:10:09.637336
Last packet time:    2008-02-24 13:40:23.026171
Data byte rate:      7705 bytes/s
Data bit rate:       61 kbps
Average packet size: 894.31 bytes
Average packet rate: 8 packets/s
SHA1:                222837342c170e8fb0c2673aef9c056a2ddc08ae
RIPEMD160:           ecf83704b912da3d2f69f4257fa9ee1658aac6cb
MD5:                 b82eda24d784e69ac0828a4ebffed885
Strict time order:   True
Number of interfaces in file: 1
Interface #0 info:
    <snip>
0
votes

capinfos is the superior solution but if you don't have access to it or want to use tshark this is how you might want to go about it

tshark -r $file -Tfields -e frame.time_delta | sort -n | tail -1