Filter a pcap dump file for a specific time range

StackOverflow https://stackoverflow.com/questions/19952991

  •  30-07-2022
  •  | 
  •  

Question

Is there any easy way to create a pcap file for the packets related to a specific datetime range maybe using tshark, tcpdump or another commandline tool?

tshark -R with frame.time seems promising but I haven't been able to work that out yet...

EDIT

The final command:

editcap -F libpcap -A "2013-07-20 23:00:00" -B "2013-07-20 23:20:00" input.pcap output.pcap
Was it helpful?

Solution

What you need is editcap. It's a command-line tool that is part of the Wireshark family.

Check out the man page at http://www.wireshark.org/docs/man-pages/editcap.html.

It takes a pcap file as input, and writes an output one. You may operate on the infile to filter content, for example, with start-time and end-time, packet number ranges, snap packet length, adjusting timestamps (!), etc. It's a great tool.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top