Wireshark-users: [Wireshark-users] Changing timestamps

From: Trebor Sreyb <tsreyb@xxxxxxxxx>
Date: Wed, 2 Jan 2008 22:38:39 -0800 (PST)

I'm in need of changing the timestamps of the packets in a pcap file. editcap has a global approach to this, where a range of packets can be applied the same time adjustment. However, I need to have much finer grained control.

So, I noticed wireshark will let me save my file as a text format called "k12text", which I then was able to modify using a tcl script that read the k12text file and rewrote it with new timestamps according to my requirements.

For example, my script increments the timestamp from one packet to the next by a default of 0.0000001s, with specific overrides for any packet of my choosing.

Then - I had hoped - I could read the k12text file into wireshark and do a file > save as, to ultimately save it as a pcap file again.

Problem is, it appears that a k12text file cannot be saved as a pcap (or most anything else). This was a huge disappointment, as I spent the time to write the tcl script and thought all was set. But alas I seem to be back at the drawing board.

Is there another approach I might take to accomplish this task?

Ultimately, the file will be imported into a 3rd party capture/replay tool, which understands libpcap files only. 

Thanks,
-Bob
 Andover, MA usa






      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ