Menu
I want to see the absolute timestamp of the packets in a pcap file using tcpdump. When I use the command tcpdump -r mypcapfiile it only shows the time,
03:21:14.804778 IP static.vnpt.vn.51193 > 192.168.0.146.smtp
how can read the date as well?
555
tcpdump also gives us an option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command or an open-source GUI-based tool called Wireshark (Network Protocol Analyzer) that reads tcpdump pcap format files.
Network time stamps are supplied as seconds since January 1, 1970, 00:00:00 UTC (also known as UNIX time or Epoch time), and microseconds since that, which we will omit in further calculations to simplify them.
Option -rpcap . It reads existing capture files and prints them as an output.
You can use the -tttt option:
$ tcpdump -tttt -nr tmp.pcap
reading from file tmp.pcap, link-type EN10MB (Ethernet)
2018-01-19 17:50:43.275918 IP 172.24.0.97.45386 > 93.153.221.29.80: Flags [.], ack 3335572340, win 251, options [nop,nop,TS val 98777655 ecr 230462279], length 0
2018-01-19 17:50:43.287273 IP 93.153.221.29.80 > 172.24.0.97.45386: Flags [.], ack 1, win 285, options [nop,nop,TS val 230464839 ecr 98706059], length 0
2018-01-19 17:50:44.138480 ARP, Request who-has 172.24.0.73 tell 172.24.0.78, length 46
2018-01-19 17:50:45.162482 ARP, Request who-has 172.24.0.73 tell 172.24.0.78, length 46
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
