Discussion:
Specifying a date range in editcap
Andrew Chalk
2007-12-07 12:55:41 UTC
Permalink
I want to include only a time range of records in a new file created with
editcap. If I use the following command line:



editcap -r -A 2007:12:06 15:00:00 -B 2007-12-06 16:00:00 Infile.cap
Outfile.cap



I get the error message:

editcap: "2007:12:06" isn't a valid time format



Could someone tell me the correct time format? The one I am using conforms
to the '-h' specification.



This is Editcap 0.99.6a (SVN Rev 22276).



Many thanks!
Jeroen Eeuwes
2007-12-07 15:51:44 UTC
Permalink
Hi Andrew,
Post by Andrew Chalk
editcap -r -A 2007:12:06 15:00:00 -B 2007-12-06 16:00:00 Infile.cap
Outfile.cap
You should use - instead of : as seperator for the date (just like you
did with the -B parameter).

Best regards,
Jeroen
Andrew Chalk
2007-12-07 16:01:47 UTC
Permalink
Correction:



The syntax I used was:



editcap -r -A 2007-12-06 15:00:00 -B 2007-12-06 16:00:00 Infile.cap
Outfile.cap



I.e. the same as the program help. I cannot understand why I get the error



editcap: "2007-12-06" isn't a valid time format



This is Editcap 0.99.6a (SVN Rev 22276).



Thanks.
Jeroen Eeuwes
2007-12-07 16:18:10 UTC
Permalink
Hi Andrew,
Post by Andrew Chalk
editcap: "2007-12-06" isn't a valid time format
The parameter for the -A file is split up due to the space between the
date and time. You should try putting quotes around the date-time.
Eg.:

editcap -r -A "2007-12-06 15:00:00" -B "2007-12-06 16:00:00"
Infile.cap Outfile.cap

or remove the space:

editcap -r -A 2007-12-0615:00:00 -B 2007-12-0616:00:00 Infile.cap Outfile.cap

Best regards,
Jeroen
Andrew Chalk
2007-12-24 23:37:00 UTC
Permalink
No luck. Same result.
Post by Jeroen Eeuwes
Hi Andrew,
Post by Andrew Chalk
editcap: "2007-12-06" isn't a valid time format
The parameter for the -A file is split up due to the space between the
date and time. You should try putting quotes around the date-time.
editcap -r -A "2007-12-06 15:00:00" -B "2007-12-06 16:00:00"
Infile.cap Outfile.cap
editcap -r -A 2007-12-0615:00:00 -B 2007-12-0616:00:00 Infile.cap Outfile.cap
Best regards,
Jeroen
_______________________________________________
Wireshark-users mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-users
David DuPre
2007-12-26 18:47:59 UTC
Permalink
For my Windows XP installation:

It appears that the valid time format needs to be specified as I have above with the "MMM D, YYYY HH:MM:SS.000000"
format. At least it works for me.

Given the following filter requirements:

frame.time ge "Dec 3, 2007 11:55:21.151151" && frame.time le "Dec 3, 2007 11:58:48.690761"

The filter above works fine if you paste it into the Wireshark GUI.

It does not appear possible to make this work from the command line because of the requirements of the FILTER to have
the date range QUOTED && the Command line requires that you Quote the entire filter string.

Here are the requirements for calling TSHARK.EXE with a FILTER parameter:

tshark [other options] [ -R ``filter expression'' ]

A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter
expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be
specified with command-line arguments after the option arguments, in which case all the arguments after the filter
arguments are treated as a filter expression. Capture filters are supported only when doing a live capture; read filters
are supported when doing a live capture and when reading a capture file, but require TShark to do more work when
filtering, so you might be more likely to lose packets under heavy load if you're using a read filter. If the filter is
specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done
(i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was
specified).

It would be nice if the "Single Quote" was accepted by the filter command sent inside a set of Double Quotes.

David


David DuPre'
HyPerformix Inc.
Executive Performance Engineering Consultant
-----Original Message-----
Sent: Monday, December 24, 2007 6:37 PM
Subject: Re: [Wireshark-users] Specifying a date range in editcap
No luck. Same result.
Post by Jeroen Eeuwes
Hi Andrew,
Post by Andrew Chalk
editcap: "2007-12-06" isn't a valid time format
The parameter for the -A file is split up due to the space between the
date and time. You should try putting quotes around the date-time.
editcap -r -A "2007-12-06 15:00:00" -B "2007-12-06 16:00:00"
Infile.cap Outfile.cap
editcap -r -A 2007-12-0615:00:00 -B 2007-12-0616:00:00 Infile.cap Outfile.cap
Best regards,
Jeroen
_______________________________________________
Wireshark-users mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-users
Sake Blok
2007-12-27 22:26:35 UTC
Permalink
Post by David DuPre
frame.time ge "Dec 3, 2007 11:55:21.151151" && frame.time le "Dec 3, 2007 11:58:48.690761"
The filter above works fine if you paste it into the Wireshark GUI.
[...]
Post by David DuPre
It would be nice if the "Single Quote" was accepted by the filter
command sent inside a set of Double Quotes.
It works the other way around, you can use single quotes *around* a
filter expression that uses double quotes:

./tshark -r ~/traces/ssl-netcc.cap 'frame.time ge "Dec 21, 2007 20:39:47.750789000" && frame.time le "Dec 21, 2007 20:39:48.750789000"'

Hope this helps,
Cheers,
Sake
Guy Harris
2007-12-27 23:53:54 UTC
Permalink
Post by Sake Blok
It works the other way around, you can use single quotes *around* a
./tshark -r ~/traces/ssl-netcc.cap 'frame.time ge "Dec 21, 2007 20:39:47.750789000" && frame.time le "Dec 21, 2007 20:39:48.750789000"'
...at least with a UNIX-style shell. I'm not sure you can use single
quotes in cmd.exe to quote arguments.
Jeroen Eeuwes
2007-12-28 10:05:34 UTC
Permalink
Hi Guy,
Post by Guy Harris
...at least with a UNIX-style shell. I'm not sure you can use single
quotes in cmd.exe to quote arguments.
Single quotes don't work. You can escape the quotes inside the qoutes
with a backslash. At least that works for tshark.exe, I'm not sure if
it will work for every program.

Eg:

C:\Program Files\Wireshark>tshark -r c:\in.pcap -w c:\out.pcap -R
"frame.time ge \"Nov 05, 2007 17:00:00\" && frame.time le \"Nov 05,
2007 18:00:00\""

Best regards,
Jeroen

Jeroen Eeuwes
2007-12-28 10:00:43 UTC
Permalink
Hi Andrew,
Post by Andrew Chalk
No luck. Same result.
From another message I gathered you use Microsoft Windows; I tried
under Linux (but not careful enough).

Anyway, the syntax with quotes works both under Linux and under
Microsoft Windows. At least with my "Editcap 0.99.7 (SVN Rev 23910)"
and XP Pro SP2.

Howver you should not use the -r parameter as this one does not work
with -A and -B. You'll get empty files back. So if you want to exclude
a time range you have to create two files and then merge them back
together.

E.g. this works on both my home computer (Linux) and work computer
(Microsoft Windows):

editcap -A "2007-11-05 17:00:00" -B "2007-11-05 18:00:00" in.pcap out.pcap

Best regards,
Jeroen
Loading...