Wireshark · Wireshark-users: Re: [Wireshark-users] how do I extract these packets with editcap

[Paula Dufour <psdufour@xxxxxxxxx>]

I believe you are trying to be too precise.  I think the time format only goes to the second.

 

Paula Dufour

On Fri, Apr 6, 2012 at 3:00 PM, <wireshark-users-request@xxxxxxxxxxxxx> wrote:

Send Wireshark-users mailing list submissions to
       wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
       https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
       wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
       wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

  1. how do I extract these packets with editcap? (Marilo)
  2. Re: Issue with RTT values in Wireshark (NITIN GOYAL)


----------------------------------------------------------------------

Message: 1
Date: Thu, 5 Apr 2012 23:21:26 +0100 (BST)
From: Marilo <narium85-mlscar@xxxxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] how do I extract these packets with
       editcap?
Message-ID:
       <1333664486.12822.YahooMailClassic@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8

Here is a sample from my file

I want to extract a specific packet or range of packets, based on time.



C:\sdf>tshark -t ad -r ga.pcap | head -n 6
2161 2012-04-02 08:49:22.022227 192.168.1.66 -> 192.168.1.65 TCP
1085 2012-04-02 08:49:22.022329 192.168.1.65 -> 192.168.1.66 TCP
2161 2012-04-02 08:49:22.022481 192.168.1.66 -> 192.168.1.65 TCP
2162 2012-04-02 08:49:22.023061 192.168.1.66 -> 192.168.1.65 TCP
1085 2012-04-02 08:49:22.023103 192.168.1.65 -> 192.168.1.66 TCP
2162 2012-04-02 08:49:22.023236 192.168.1.66 -> 192.168.1.65 TCP

C:\sdf>tshark -r ga.pcap | head -n 6
2161   0.000000 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2161
1085   0.000102 192.168.1.65 -> 192.168.1.66 TCP 66 2161 1085
2161   0.000254 192.168.1.66 -> 192.168.1.65 TCP 60 1085 2161
2162   0.000834 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2162
1085   0.000876 192.168.1.65 -> 192.168.1.66 TCP 66 2162 1085
2162   0.001009 192.168.1.66 -> 192.168.1.65 TCP 60 1085 2162

I'd like to use the -r format since it's more abbreviated, but anyhow, trying with the longer format
I tried this line
C:\sdf>editcap -r -A "2012-04-02 08:49:22.022227"  ga.pcap gaa.pcap

and I found that it created a new file gaa.pcap but exactly the same size as ga.pcap  as if I hadn't done the -A switch.

If I can get -A and -B to work then I suppose I could extract ranges of packets, or specific ones, but I can't get -A to work there when I tried it.

I'd also like to know if there is any other unique identifier with the packet maybe an absolute sequence number, and how to extract it based on that..

Though I can't even get the time one to work at the moment.



------------------------------

Message: 2
Date: Fri, 6 Apr 2012 10:39:52 +0530
From: NITIN GOYAL <nitinkumgoyal@xxxxxxxxx>
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Issue with RTT values in Wireshark
Message-ID:
       <CADig5u_bH7BA6vupd7qvo2z0=-e8926c886tVBKSco8mCUrwEQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi All

Can anybody help me out in the below query related to RTT calculation??

Thanks
Nitin

On Wed, Apr 4, 2012 at 1:16 PM, NITIN GOYAL <nitinkumgoyal@xxxxxxxxx> wrote:

> Hi All
>
> I have an issue with the Wireshark for calcuating the RTT values. For few
> pcaps, I have a higher value of RTT on one side or direction but the lower
> value of RTT on other side.
> I have taken the trace in the middle of the connections and in one
> direction the RTT calculated by Wireshark is around 40 ms but on what other
> direction its 1.5 ms.
>
> But i think ideally both the sides should have the same values as its
> round trip time(like a loop).
>
> The trace is RTP over UDP over a VoIP tool.
>
> Now, when i use some other licensed tool based on libpacp used by
> Wireshark as well, the values for both the sides is almost same with the
> same pcap file.
>
> So, i am not sure if Wireshark is calculating the wrong RTT values or the
> interpreation is differnet by other tools as how to calcuate the RTT
> vlaues??
>
> Any idea about this??
>
> Regards
> Nitin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20120406/a52f925c/attachment.html>

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 71, Issue 5
**********************************************

--

Paula Dufour

410-857-9069 (h)

301-939-7918 (w)

443-340-9839 (c)

psdufour@xxxxxxxxx