How do I format tshark time to ISO format (yyyy-dd-mm)?

Question

I'm trying to print out various fields from a PCAP containing HTTP traffic. One of the columns should be the timestamp in the ISO 8601 format (YYYY-MM-DD hhmmss).

Also, if anyone has a full list of fields that work under -e, that would be awesome (eg, ip.src, frame.time, etc).

Just as an example, I'm starting from a couple angles:

tshark -r out.pcap -R "tcp.port==80" -o column.format:"Packet,%m,Time,%t,Info%i" 

tshark -r out.pcap -R "tcp.port==80" -T fields -e frame.time

Answer 1

Did you try the following:

tshark -r out.pcap -R "tcp.port==80" -o column.format:"Packet,%m,Time,%Yt,Info%i"

The key there is to use %Yt instead of %t, which uses YYYY-MM-DD hhmmss. format. If you want UTC, then use %Yut. Other formats are available as well.

Note that:

Prior to Wireshark commit r52627, the column formats were only documented in the source code itself (i.e., in epan/column.c); however, after that revision, you can run tshark -G column-formats to view them.

(That revision is only currently available in the development version of Wireshark though. Regardless, you can still use the source code itself as a reference. If you'd like to download the development release, visit the Wireshark download page.)

To answer your second inquiry, namely "if anyone has a full list of fields that work under -e, that would be awesome", you can refer to the Wireshark display filter reference page. Basically, any named field can be used.