Re: how do I extract these packets with editcap

[Paula Dufour <psdufour () gmail com>]

I believe you are trying to be too precise.  I think the time format only
goes to the second.

Paula Dufour


On Fri, Apr 6, 2012 at 3:00 PM, <wireshark-users-request () wireshark org>wrote:

> Send Wireshark-users mailing list submissions to
>        wireshark-users () wireshark org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>        wireshark-users-request () wireshark org
>
> You can reach the person managing the list at
>        wireshark-users-owner () wireshark org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>   1. how do I extract these packets with editcap? (Marilo)
>   2. Re: Issue with RTT values in Wireshark (NITIN GOYAL)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 5 Apr 2012 23:21:26 +0100 (BST)
> From: Marilo <narium85-mlscar () yahoo co uk>
> To: wireshark-users () wireshark org
> Subject: [Wireshark-users] how do I extract these packets with
>        editcap?
> Message-ID:
>        <1333664486.12822.YahooMailClassic () web28610 mail ukl yahoo com>
> Content-Type: text/plain; charset=utf-8
>
> Here is a sample from my file
>
> I want to extract a specific packet or range of packets, based on time.
>
>
>
> C:\sdf>tshark -t ad -r ga.pcap | head -n 6
> 2161 2012-04-02 08:49:22.022227 192.168.1.66 -> 192.168.1.65 TCP
> 1085 2012-04-02 08:49:22.022329 192.168.1.65 -> 192.168.1.66 TCP
> 2161 2012-04-02 08:49:22.022481 192.168.1.66 -> 192.168.1.65 TCP
> 2162 2012-04-02 08:49:22.023061 192.168.1.66 -> 192.168.1.65 TCP
> 1085 2012-04-02 08:49:22.023103 192.168.1.65 -> 192.168.1.66 TCP
> 2162 2012-04-02 08:49:22.023236 192.168.1.66 -> 192.168.1.65 TCP
>
> C:\sdf>tshark -r ga.pcap | head -n 6
> 2161   0.000000 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2161
> 1085   0.000102 192.168.1.65 -> 192.168.1.66 TCP 66 2161 1085
> 2161   0.000254 192.168.1.66 -> 192.168.1.65 TCP 60 1085 2161
> 2162   0.000834 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2162
> 1085   0.000876 192.168.1.65 -> 192.168.1.66 TCP 66 2162 1085
> 2162   0.001009 192.168.1.66 -> 192.168.1.65 TCP 60 1085 2162
>
> I'd like to use the -r format since it's more abbreviated, but anyhow,
> trying with the longer format
> I tried this line
> C:\sdf>editcap -r -A "2012-04-02 08:49:22.022227"  ga.pcap gaa.pcap
>
> and I found that it created a new file gaa.pcap but exactly the same size
> as ga.pcap  as if I hadn't done the -A switch.
>
> If I can get -A and -B to work then I suppose I could extract ranges of
> packets, or specific ones, but I can't get -A to work there when I tried it.
>
> I'd also like to know if there is any other unique identifier with the
> packet maybe an absolute sequence number, and how to extract it based on
> that..
>
> Though I can't even get the time one to work at the moment.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 6 Apr 2012 10:39:52 +0530
> From: NITIN GOYAL <nitinkumgoyal () gmail com>
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] Issue with RTT values in Wireshark
> Message-ID:
>        <CADig5u_bH7BA6vupd7qvo2z0=-e8926c886tVBKSco8mCUrwEQ () mail gmail com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi All
>
> Can anybody help me out in the below query related to RTT calculation??
>
> Thanks
> Nitin
>
> On Wed, Apr 4, 2012 at 1:16 PM, NITIN GOYAL <nitinkumgoyal () gmail com>
> wrote:
>
> > Hi All
> >
> > I have an issue with the Wireshark for calcuating the RTT values. For few
> > pcaps, I have a higher value of RTT on one side or direction but the
> lower
> > value of RTT on other side.
> > I have taken the trace in the middle of the connections and in one
> > direction the RTT calculated by Wireshark is around 40 ms but on what
> other
> > direction its 1.5 ms.
> >
> > But i think ideally both the sides should have the same values as its
> > round trip time(like a loop).
> >
> > The trace is RTP over UDP over a VoIP tool.
> >
> > Now, when i use some other licensed tool based on libpacp used by
> > Wireshark as well, the values for both the sides is almost same with the
> > same pcap file.
> >
> > So, i am not sure if Wireshark is calculating the wrong RTT values or the
> > interpreation is differnet by other tools as how to calcuate the RTT
> > vlaues??
> >
> > Any idea about this??
> >
> > Regards
> > Nitin
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.wireshark.org/lists/wireshark-users/attachments/20120406/a52f925c/attachment.html
> >
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users () wireshark org
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 71, Issue 5
> **********************************************



-- 
Paula Dufour
410-857-9069 (h)
301-939-7918 (w)
443-340-9839 (c)
psdufour () gmail com

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe