I have a pcap file and I want to filter out some packets based on their epoch timestamp with tshark.
I have a timestamp t1. I need the packets, whose epoch timestamp is "later" than t1. The timestamp t1 is extracted from an other pcap file. So far so good.
In the following lines I convert the timestamp t1 (1499351908.01) to the datetime format p (2017-07-06 10:38:28). I am doing this because tshark needs a notation like this for filtering. Otherwise an error occurs.
t1_c = DT.datetime.fromtimestamp(t1)
p = t1_c.strftime('%Y-%m-%d %H:%M:%S')
In the following line I specifiy the input and output file and the tshark filter:
os.system('tshark -r test_in.pcap -w test_out.pcap -Y "frame.time >= p"')
So if I run my code, this tshark error occurs:
tshark: "p" is not a valid absolute time. Example: "Nov 12, 1999 08:55:44.123" or "2011-07-04 12:34:56"
What is wrong? Is the filtering notation wrong?
Thanks in advance!
