Customize Timestamp Display in Tshark

Introduction

In this lab, you will learn to customize timestamp displays in Wireshark's tshark utility for enhanced network analysis. You'll explore key techniques like reading PCAP files with -r and formatting timestamps in UTC (-t u) or epoch time (-t e).

The practical exercises will guide you through applying different timestamp formats to meet various analysis needs. You'll practice commands such as tshark -r capture.pcap -t u to standardize time displays across time zones or obtain precise epoch timings.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/packet_analysis -.-> lab-548919{{"Customize Timestamp Display in Tshark"}} wireshark/commandline_usage -.-> lab-548919{{"Customize Timestamp Display in Tshark"}} end

Read File with -r capture.pcap

In this step, you will learn how to read a packet capture file using Wireshark's command-line tool tshark with the -r option. PCAP files contain raw network traffic data captured from a network interface, and tshark helps us analyze this data without using the graphical Wireshark interface.

First, let's navigate to the correct directory where our capture file is stored. This ensures we can access the file without specifying full paths:

cd ~/project

The -r option (short for "read") tells tshark to read packets from a specified capture file rather than live network traffic. In our case, we'll analyze a pre-prepared sample file named capture.pcap that contains typical network communication data.

To display the basic packet information from our capture file, execute:

tshark -r capture.pcap

This command will show you a sequential list of all packets in the file, with each line representing one network packet. The output includes several important fields:

Packet numbers (showing the order of capture)
Timestamps (recording when each packet was captured)
Source and destination IP addresses
Protocol types (like TCP, UDP, or ICMP)
Packet sizes in bytes
Brief descriptions of the packet contents

Here's an example of what the output might look like for a TCP connection establishment:

1 0.000000 192.168.1.1 → 192.168.1.2 TCP 66 443 → 34512 [SYN] Seq=0 Win=64240 Len=0
2 0.000123 192.168.1.2 → 192.168.1.1 TCP 66 34512 → 443 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0

In this example, we see two packets: the first is a TCP SYN packet initiating a connection from 192.168.1.1 to 192.168.1.2 on port 443, and the second is the responding SYN-ACK packet. The -r option is essential for examining previously captured network traffic and forms the foundation for more advanced packet analysis techniques.

Set UTC Format with -t u

In this step, we'll explore how to display packet timestamps in UTC (Coordinated Universal Time) format using Wireshark's command-line tool tshark. The -t u option is particularly valuable when working with network traffic that spans multiple time zones, as it provides a standardized time reference.

Before we begin, let's make sure we're in the right working directory where our packet capture file is located:

cd ~/project

The -t u parameter tells tshark to convert all timestamps to UTC format. This is different from your local system time. We'll combine this with the -r option (which you learned in previous steps) to read our sample capture file:

tshark -r capture.pcap -t u

After running this command, you'll see output similar to this, with clear UTC timestamps:

1 2023-01-01 00:00:00.000000 UTC 192.168.1.1 → 192.168.1.2 TCP 66 443 → 34512 [SYN] Seq=0 Win=64240 Len=0
2 2023-01-01 00:00:00.000123 UTC 192.168.1.2 → 192.168.1.1 TCP 66 34512 → 443 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0

Notice how each timestamp now includes the "UTC" designation. This format is especially useful when you're analyzing logs from servers in different geographical locations or collaborating with team members across time zones. The UTC format eliminates confusion about time references, as it doesn't depend on local timezone settings.

To better understand the difference, you might want to compare this output with the default local time format from previous exercises. This will help you see how the same network events appear in different time representations.

Use Epoch Time with -t e

In this step, you will learn how to display packet timestamps in epoch format using Wireshark's command-line tool tshark. The -t e option tells tshark to show timestamps as epoch time (also called Unix time), which counts the number of seconds since January 1, 1970. This format is especially helpful when you need to perform exact time calculations or integrate with other systems that use epoch time.

Before we begin, let's make sure we're in the right working directory where our packet capture file is stored:

cd ~/project

Now we'll use the -t e option along with -r (which stands for "read") to process our sample packet capture file. The basic command structure is simple: specify the input file after -r and add -t e for epoch time formatting:

tshark -r capture.pcap -t e

After running this command, you'll see output similar to this, where the second column shows the epoch timestamps:

1 1672531200.000000 192.168.1.1 → 192.168.1.2 TCP 66 443 → 34512 [SYN] Seq=0 Win=64240 Len=0
2 1672531200.000123 192.168.1.2 → 192.168.1.1 TCP 66 34512 → 443 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0

Notice how each timestamp appears as a decimal number - the part before the decimal represents whole seconds, while the fractional part shows microseconds. This level of precision makes epoch time valuable for several scenarios:

Measuring exact time intervals between network events
Matching packet captures with system logs that use epoch time
Performing mathematical operations on timestamps in scripts or analysis tools

To better understand the difference, you might want to compare this output with the results from the previous UTC format example. Seeing both formats side by side will help you recognize how the same moment in time can be represented in different ways.

Display Packets with -P

In this step, you will learn how to display packet summaries in a more readable format using Wireshark's tshark with the -P option. This option provides a cleaner output format that's easier to read and analyze, especially when you're just starting with packet analysis.

First, ensure you're in the correct directory where your capture file is located. This is important because tshark needs to know where to find the packet capture file:

cd ~/project

The -P option changes how tshark displays packet information. Instead of showing everything in a single compact line (which can be hard to read), it displays each piece of information on its own line in a vertical format. This makes it much easier to identify specific fields at a glance. Let's use it with our sample capture file:

tshark -r capture.pcap -P

Here's what a typical packet might look like in this format:

Packet 1:
    Arrival Time: Jan  1, 2023 00:00:00.000000000 UTC
    Epoch Time: 1672531200.000000000 seconds
    Frame Number: 1
    Frame Length: 66 bytes
    Protocols: eth:ethertype:ip:tcp
    Source: 192.168.1.1
    Destination: 192.168.1.2
    Source Port: 443
    Destination Port: 34512
    TCP Flags: 0x002 (SYN)

The -P format is particularly useful in several situations:

When you need to quickly scan specific fields in packets without straining your eyes
When you want to pipe the output to other commands for further processing, as the structured format makes it easier to parse
When you prefer a more organized view of packet information, similar to how Wireshark's GUI displays packets

If you've used tshark without the -P option before, you'll immediately notice how much more readable this format is. Each piece of information has its own clear line, making it simpler to find exactly what you're looking for in the packet details.

Summary

In this lab, you have learned how to customize timestamp displays in Tshark through practical command-line options. The exercises demonstrated reading packet captures with -r capture.pcap and formatting timestamps in UTC using -t u for consistent timezone analysis.

You also practiced using epoch time format with -t e for precise timestamp representation and leveraged the -P option for detailed packet output. These techniques enhance network traffic analysis by providing flexible timestamp formats while maintaining clear packet inspection workflows.