Here is a sample from my file
I want to extract a specific packet or range of packets, based on time.
C:\sdf>tshark -t ad -r ga.pcap | head -n 6
2161 2012-04-02 08:49:22.022227 192.168.1.66 -> 192.168.1.65 TCP
1085 2012-04-02 08:49:22.022329 192.168.1.65 -> 192.168.1.66 TCP
2161 2012-04-02 08:49:22.022481 192.168.1.66 -> 192.168.1.65 TCP
2162 2012-04-02 08:49:22.023061 192.168.1.66 -> 192.168.1.65 TCP
1085 2012-04-02 08:49:22.023103 192.168.1.65 -> 192.168.1.66 TCP
2162 2012-04-02 08:49:22.023236 192.168.1.66 -> 192.168.1.65 TCP
C:\sdf>tshark -r ga.pcap | head -n 6
2161 0.000000 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2161
1085 0.000102 192.168.1.65 -> 192.168.1.66 TCP 66 2161 1085
2161 0.000254 192.168.1.66 -> 192.168.1.65 TCP 60 1085 2161
2162 0.000834 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2162
1085 0.000876 192.168.1.65 -> 192.168.1.66 TCP 66 2162 1085
2162 0.001009 192.168.1.66 -> 192.168.1.65 TCP 60 1085 2162
I'd like to use the -r format since it's more abbreviated, but anyhow, trying with the longer format
I tried this line
C:\sdf>editcap -r -A "2012-04-02 08:49:22.022227" ga.pcap gaa.pcap
and I found that it created a new file gaa.pcap but exactly the same size as ga.pcap as if I hadn't done the -A switch.
If I can get -A and -B to work then I suppose I could extract ranges of packets, or specific ones, but I can't get -A to work there when I tried it.
I'd also like to know if there is any other unique identifier with the packet maybe an absolute sequence number, and how to extract it based on that..
Though I can't even get the time one to work at the moment.
