Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] how do I extract these packets with editcap

Date: Sat, 7 Apr 2012 10:33:14 +0100 (BST)
well, then, i'll forget specifying by time, and this would do what I want


C:\sdf>capinfos -c thefile
File name:           thefile
Number of packets:   52

C:\sdf>tshark -r thefile -R "frame.number==1"
  0.000000 2135 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2135

C:\sdf>tshark -r thefile -R "frame.number==52"
  5.080146 1085 192.168.1.65 -> 192.168.1.66 TCP 62 2138 1085

C:\sdf>tshark -r thefile -R "frame.number==0"

C:\sdf>tshark -r thefile -R "frame.number==53"
  5.080902 2138 192.168.1.66 -> 192.168.1.65 TCP 240 1085 2138

C:\sdf>


--- On Fri, 6/4/12, Paula Dufour wrote:

From: Paula Dufour 
Subject: Re: [Wireshark-users] how do I extract these packets with editcap
To: wireshark-users   wireshark.org
Date: Friday, 6 April, 2012, 23:57

I believe you are trying to be too precise.  I think the time format only goes to the second.
 
Paula Dufour