Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Editcap and timestamps

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 05 Aug 2011 08:49:55 -0400
Wu Weidong wrote:
Hi,

Does editcap depend on packet timestamp in anyway? I was able to extract specific packets using editcap on pcap files that were recorded from live traffic, but was unable to extract any packets on processed pcap files that have packet timestamps as 0.

It did, I think, until recently. I can't remember if r34913 fixed it (in which case 1.6 has the fix) or r37633 fixed it (in which case you'd need to try an automated build[1]).

[1] http://www.wireshark.org/download/automated/