Hi Martin, Thank you for your detailed answer. It help out. Natalie.
On Thu, Jan 31, 2013 at 11:58 AM, Martin Mathieson < [email protected]> wrote: > I don't know if overriding the time is a good idea - but I'm not sure what > would go wrong. > > You can add any field as a column by right-clicking on the field and > choosing 'Apply as Column'. I do this with the log files my company uses - > we have a timestamp field in our file format that ends up being dissected > (see hf_catapult_dct2000_timestamp in packet-catapult-dct2000.c). > > I find it tedious to try to analyse a file that is not in the correct > order though, and it can interfere with sequence analysis that dissectors > can do. If it is easy to find/parse the timestamp, I would consider > writing a console wiretap program, based upon reordercap, that would: > - read the frames in, but overwriting the timestamp with a value derived > from the timestamp parsed from your frames > - sort the frames by this timestamp > - write sorted frames to an output file > > Of course, I don't really know what you are doing, and whether seeing the > original capture time is also useful.... > > Martin > > > On Thu, Jan 31, 2013 at 5:42 AM, Natalie Shapira <[email protected]> wrote: > >> >> Thanks. >> >> Eventually I override >> pinfo->fd->rel_ts >> pinfo->fd->del_dis_ts >> >> It looks good. >> >> If I would have problems again, I will create separate column. >> BTW, can you think about dissector who did it (adding column)? so I could >> use it as an example.. >> Natalie. >> >> >> On Wed, Jan 30, 2013 at 2:44 PM, Evan Huus <[email protected]> wrote: >> >>> You can add the new timestamp as a regular dissected field. Wireshark >>> allows you to create columns out of arbitrary fields in dissected >>> packets. >>> >>> Cheers, >>> Evan >>> >>> On Wed, Jan 30, 2013 at 4:51 AM, Natalie Shapira <[email protected]> >>> wrote: >>> > Anyway, you gave me other idea. What about making new column of >>> my_timestamp >>> > and sort by that column... Do I have the ability to add a new column >>> from a >>> > dissector? >>> > >>> > On Wed, Jan 30, 2013 at 11:46 AM, Natalie Shapira <[email protected]> >>> wrote: >>> >> >>> >> I have no choice. It's a workaround for a hardware bug. >>> >> >>> >> On Wed, Jan 30, 2013 at 11:05 AM, Anders Broman >>> >> <[email protected]> wrote: >>> >>> >>> >>> Hi, >>> >>> Those are the timestamps of packet arrival there should be no need to >>> >>> change them from a dissector - sounds like a bad idea to me. >>> >>> Regards >>> >>> Anders >>> >>> >>> >>> ________________________________ >>> >>> From: [email protected] >>> >>> [mailto:[email protected]] On Behalf Of Natalie >>> Shapira >>> >>> Sent: den 30 januari 2013 09:16 >>> >>> To: [email protected] >>> >>> Subject: [Wireshark-dev] changing the time >>> >>> >>> >>> >>> >>> Hi everybody, >>> >>> >>> >>> It's my first question so, nice to meet you! >>> >>> >>> >>> I'm writing new dissector (plugin). >>> >>> I want to change the time of the packet. >>> >>> I tried to change pinfo->fd->rel_ts.secs and >>> pinfo->fd->rel_ts.nsecs. It >>> >>> looks like I did it BUT, after sorting, not all packets are in the >>> exact >>> >>> place. >>> >>> >>> >>> Do you have an example, idea or any recommendation? >>> >>> >>> >>> Thanks, >>> >>> Natalie. >>> >>> >>> >>> >>> >>> >>> ___________________________________________________________________________ >>> >>> Sent via: Wireshark-dev mailing list <[email protected] >>> > >>> >>> Archives: http://www.wireshark.org/lists/wireshark-dev >>> >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >>> >>> >>> >>> mailto:[email protected]?subject=unsubscribe >>> >> >>> >> >>> > >>> > >>> > >>> ___________________________________________________________________________ >>> > Sent via: Wireshark-dev mailing list <[email protected]> >>> > Archives: http://www.wireshark.org/lists/wireshark-dev >>> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >>> > mailto:[email protected] >>> ?subject=unsubscribe >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-dev mailing list <[email protected]> >>> Archives: http://www.wireshark.org/lists/wireshark-dev >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >>> mailto:[email protected] >>> ?subject=unsubscribe >>> >> >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <[email protected]> >> Archives: http://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >> mailto:[email protected] >> ?subject=unsubscribe >> > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected] > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
