For my Windows XP installation:
It appears that the valid time format needs to be specified as I have above with the "MMM D, YYYY HH:MM:SS.000000"
format. At least it works for me.
Given the following filter requirements:
frame.time ge "Dec 3, 2007 11:55:21.151151" && frame.time le "Dec 3, 2007 11:58:48.690761"
The filter above works fine if you paste it into the Wireshark GUI.
It does not appear possible to make this work from the command line because of the requirements of the FILTER to have
the date range QUOTED && the Command line requires that you Quote the entire filter string.
Here are the requirements for calling TSHARK.EXE with a FILTER parameter:
tshark [other options] [ -R ``filter expression'' ]
A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter
expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be
specified with command-line arguments after the option arguments, in which case all the arguments after the filter
arguments are treated as a filter expression. Capture filters are supported only when doing a live capture; read filters
are supported when doing a live capture and when reading a capture file, but require TShark to do more work when
filtering, so you might be more likely to lose packets under heavy load if you're using a read filter. If the filter is
specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done
(i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was
specified).
It would be nice if the "Single Quote" was accepted by the filter command sent inside a set of Double Quotes.
David
David DuPre'
HyPerformix Inc.
Executive Performance Engineering Consultant
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
> bounces@xxxxxxxxxxxxx] On Behalf Of Andrew Chalk
> Sent: Monday, December 24, 2007 6:37 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Re: [Wireshark-users] Specifying a date range in editcap
>
> No luck. Same result.
>
> "Jeroen Eeuwes" <jeroeneeuwes@xxxxxxxxx> wrote
> in message
> news:65a16ec20712070818w73fee583gcea5f943a0150928@xxxxxxxxxxxxxx...
> > Hi Andrew,
> >
> >> editcap: "2007-12-06" isn't a valid time format
> >
> > The parameter for the -A file is split up due to the space between the
> > date and time. You should try putting quotes around the date-time.
> > Eg.:
> >
> > editcap -r -A "2007-12-06 15:00:00" -B "2007-12-06 16:00:00"
> > Infile.cap Outfile.cap
> >
> > or remove the space:
> >
> > editcap -r -A 2007-12-0615:00:00 -B 2007-12-0616:00:00 Infile.cap
> > Outfile.cap
> >
> > Best regards,
> > Jeroen
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> >
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
