A script to format date from tshark in a customizable way.
usage
tshark -tad -r example.pcap -T fields -e frame.time_epoch -e ip.src -e ip.dst | ./epochtodate.py
2009-12-16 12:25:37 570704 10.0.2.15 224.0.0.251
2009-12-16 12:25:38 802853 10.0.2.15 194.179.1.100
2009-12-16 12:25:43 808373 10.0.2.15 62.14.2.1
2009-12-16 12:25:43 976156 62.14.2.1 10.0.2.15
2009-12-16 12:25:43 979653 10.0.2.15 194.179.1.100
2009-12-16 12:25:48 983549 10.0.2.15 62.14.2.1
2009-12-16 12:25:49 148470 62.14.2.1 10.0.2.15
2009-12-16 12:25:49 148789 10.0.2.15 194.179.1.100
2009-12-16 12:25:49 228531 194.179.1.100 10.0.2.15
#!/usr/bin/python
'''
Convert tshark frame.time_epoch to readable date
'''
import datetime
import fileinput
import re
def epochtodate(line):
re_epoch = re.compile("([0-9]{10}\.[0-9]{9})")
found = re_epoch.search(line)
if found:
nowstring = datetime.datetime.fromtimestamp(float(found.group(1))).strftime('%Y-%m-%d %H:%M:%S %f')
line = re.sub("[0-9]{10}\.[0-9]{9}",nowstring,line)
print line.rstrip("\n")
else:
print line
for line in fileinput.input():
epochtodate(line)
No comments:
Post a Comment