SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
How can I filter packets between two points in time? I'm testing nmap bandwidth usage and want to analyse during the times that it is bursting...
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
-
Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.
Wireshark display filter
- Thread starter SpaceHonkey
- Start date
ben chi(f4)
2[H]4U
- Joined
- Mar 4, 2008
- Messages
- 2,340
you can filter IP
ip.addr eq x.x.x.x
ip.addr eq x.x.x.x
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
I set a capture filter of host <IP> to do that. The problem is that, the full scan could take 9 seconds, but most (99%) of the communication is during second 2.5-3. In the summary, it calculates the the bandwidth based on the total or displayed packets. While the average over nine seconds is .081 Mbps, during that short 1/2 second burst it is much higher.
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
Found something that works - filtering by frame number:
frame.number >= 4 && frame.number <= 3449
Actual thoughput is 10.644 Mbps. For 0.152798 seconds.
frame.number >= 4 && frame.number <= 3449
Actual thoughput is 10.644 Mbps. For 0.152798 seconds.
It has to be a static date and time, otherwise you'd want to use frame.number (like you have there).
Otherwise:
frame.time > "Apr 9, 2009 14:03:42" and frame.time < "Apr 9, 2009 14:03:45"
frame.time > "Apr 9, 2009 14:03:42.5" and frame.time < "Apr 9, 2009 14:03:45.25"
Otherwise:
frame.time > "Apr 9, 2009 14:03:42" and frame.time < "Apr 9, 2009 14:03:45"
frame.time > "Apr 9, 2009 14:03:42.5" and frame.time < "Apr 9, 2009 14:03:45.25"
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
Ah - there's the time. I started looking under TIME (which is actually NTP), not frame.time.
I didn't even notice frame.time when I found frame.number - lol
Thanks all!
I didn't even notice frame.time when I found frame.number - lol
Thanks all!
I know it's an old thread, but I found it looking for the search term "Wireshark filter by time frame" and others will too.
I found the best filter to use when filtering by time ranges is the relative time which is displayed on the capture display and is the time I'd expect to be able to use for filtering.
Use "frame.time_relative" as the filter expression term.
I found the best filter to use when filtering by time ranges is the relative time which is displayed on the capture display and is the time I'd expect to be able to use for filtering.
Use "frame.time_relative" as the filter expression term.
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
Very nice - I didn't even remember posting this old thread 
joshenders
n00b
- Joined
- May 23, 2012
- Messages
- 7
Thanks for the follow up. Google lead me here and this was very helpful.