SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
How can I filter packets between two points in time? I'm testing nmap bandwidth usage and want to analyse during the times that it is bursting...
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Wireshark display filter
- Thread starter SpaceHonkey
- Start date
ben chi(f4)
2[H]4U
- Joined
- Mar 4, 2008
- Messages
- 2,339
you can filter IP
ip.addr eq x.x.x.x
ip.addr eq x.x.x.x
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
I set a capture filter of host <IP> to do that. The problem is that, the full scan could take 9 seconds, but most (99%) of the communication is during second 2.5-3. In the summary, it calculates the the bandwidth based on the total or displayed packets. While the average over nine seconds is .081 Mbps, during that short 1/2 second burst it is much higher.
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
Found something that works - filtering by frame number:
frame.number >= 4 && frame.number <= 3449
Actual thoughput is 10.644 Mbps. For 0.152798 seconds.
frame.number >= 4 && frame.number <= 3449
Actual thoughput is 10.644 Mbps. For 0.152798 seconds.
It has to be a static date and time, otherwise you'd want to use frame.number (like you have there).
Otherwise:
frame.time > "Apr 9, 2009 14:03:42" and frame.time < "Apr 9, 2009 14:03:45"
frame.time > "Apr 9, 2009 14:03:42.5" and frame.time < "Apr 9, 2009 14:03:45.25"
Otherwise:
frame.time > "Apr 9, 2009 14:03:42" and frame.time < "Apr 9, 2009 14:03:45"
frame.time > "Apr 9, 2009 14:03:42.5" and frame.time < "Apr 9, 2009 14:03:45.25"
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
Ah - there's the time. I started looking under TIME (which is actually NTP), not frame.time.
I didn't even notice frame.time when I found frame.number - lol
Thanks all!
I didn't even notice frame.time when I found frame.number - lol
Thanks all!
I know it's an old thread, but I found it looking for the search term "Wireshark filter by time frame" and others will too.
I found the best filter to use when filtering by time ranges is the relative time which is displayed on the capture display and is the time I'd expect to be able to use for filtering.
Use "frame.time_relative" as the filter expression term.
I found the best filter to use when filtering by time ranges is the relative time which is displayed on the capture display and is the time I'd expect to be able to use for filtering.
Use "frame.time_relative" as the filter expression term.
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
Very nice - I didn't even remember posting this old thread 
joshenders
n00b
- Joined
- May 23, 2012
- Messages
- 7
Thanks for the follow up. Google lead me here and this was very helpful.