System Administration & Network Administration
logstash date formatting tshark
Updated Tue, 28 Jun 2022 13:40:42 GMT

How do I force a date/time format for traffic captured with tshark using "-T fields"?


I'm capturing traffic with tshark into a CSV file using "-T fields", but whatever I try I can't get a nice ISO date or even changing the timezone to UTC.

The command I'm using is

tshark.exe -i 2 -c 1 -T fields -e frame.time

This gives me

Capturing on 'Realtek PCIe FE Family Controller' 
May 20, 2016 13:46:03.565211000 Hora oficial do Brasil

I've tried adding

  • -o column.format:"Time,%Yut"
  • -t ad
  • -t ud

Not even "-t d" and "-t r" will change the format.

I'm running tshark in a Windows box with the OS installed in Portuguese (pt-BR) and even if I change the date language between English and Portuguese all I get is this strange mix of languages between the date and the timezone.

It seems that tshark under Windows ignores all the options to format dates.

I don't really need to have an ISO date, but I need one that can be parsed with the date{} filter in logstash. It could almost parse the one I'm getting, but it can't handle the "Hora oficial do Brasil" and I can't shake it off the time.frame text.

Update: I've found that on Ubuntu also the "-t" parameter has no effect. There, tshark prints the date/time part using the same format as in Windows, but it never prints a timezone name/offset/id. Even if it is a bug, the Unix behaviour would fix my problem...




Solution

At this moment, it is not possible to do what I wanted.

There is a enhancement request posted at Wireshark Bug Database for this feature.

#10220 - add ISO 8601 date format option to tshark -T fields (FT_ABSOLUTE_TIME type fields)







External Links

External links referenced by this document: