0

How to split wireshark files based on time interval. Editcap does not allow to split files in milliseconds? Can give only seconds using editcap -i.

Milo
  • 3,365
  • 9
  • 30
  • 44
sally
  • 11
  • 3

1 Answers1

2

This will be supported in Wireshark 3.2.0, which is due to be released this fall. If you need the functionality sooner you can try one of the 3.1 automated builds.

Gerald Combs
  • 1,374
  • 10
  • 12
  • thanks. 'Time delta from previous displayed frame' value of each split file's first row/packet is zero. Even though the time delta of those packets in the original file is not zero. How to get the actual inter-arrival time of packets please? – sally Jul 19 '19 at 09:51
  • Pcap and pcapng files only store the arrival time for each packet. The frame.time_delta and frame.time_delta_displayed fields are calculated based on the first packet in a file, i.e. those values aren't saved in the capture file. (Calculated values are denoted by wrapping them in square brackets, e.g. "[Time delta from previous displayed frame: 0.025961000 seconds]"). You could probably work around the issue by extracting the first packet from the first file using editcap and prepending it to the rest of the files using mergecap. – Gerald Combs Jul 19 '19 at 17:01