Capinfos precise timestamp

3
votes

I am working on a parsing script for a bunch of regular small pcap files created with tshark.

What I need is to extract the precise (down to milliseconds) timestamp of the first packet in the capture and the last one. I tried "capinfos myfile" but that has a precision down to seconds and for captures lasting less than one second that's not very helpful.

Does anyone know how I can grab that info?

1
wiresharkpcaptshark

1 Answers

5
votes

Run capinfos -c to display the number of packets:
$ capinfos -c lmt_04.pcap
File name: lmt_04.pcap
Number of packets: 1645

Run TShark -T fields to print the frame.time of the first and the last packet:
$ tshark -r lmt_04.pcap -R "frame.number==1 || frame.number==1645" -T fields -e frame.time
Aug 28, 2009 21:29:24.491572000
Aug 28, 2009 21:30:36.747868000