I don't know if overriding the time is a good idea - but I'm not sure what would go wrong.
You can add any field as a column by right-clicking on the field and choosing 'Apply as Column'. I do this with the log files my company uses - we have a timestamp field in our file format that ends up being dissected (see hf_catapult_dct2000_timestamp in packet-catapult-dct2000.c). I find it tedious to try to analyse a file that is not in the correct order though, and it can interfere with sequence analysis that dissectors can do. If it is easy to find/parse the timestamp, I would consider writing a console wiretap program, based upon reordercap, that would: - read the frames in, but overwriting the timestamp with a value derived from the timestamp parsed from your frames - sort the frames by this timestamp - write sorted frames to an output file Of course, I don't really know what you are doing, and whether seeing the original capture time is also useful.... Martin On Thu, Jan 31, 2013 at 5:42 AM, Natalie Shapira <nd1...@gmail.com> wrote: > > Thanks. > > Eventually I override > pinfo->fd->rel_ts > pinfo->fd->del_dis_ts > > It looks good. > > If I would have problems again, I will create separate column. > BTW, can you think about dissector who did it (adding column)? so I could > use it as an example.. > Natalie. > > > On Wed, Jan 30, 2013 at 2:44 PM, Evan Huus <eapa...@gmail.com> wrote: > >> You can add the new timestamp as a regular dissected field. Wireshark >> allows you to create columns out of arbitrary fields in dissected >> packets. >> >> Cheers, >> Evan >> >> On Wed, Jan 30, 2013 at 4:51 AM, Natalie Shapira <nd1...@gmail.com> >> wrote: >> > Anyway, you gave me other idea. What about making new column of >> my_timestamp >> > and sort by that column... Do I have the ability to add a new column >> from a >> > dissector? >> > >> > On Wed, Jan 30, 2013 at 11:46 AM, Natalie Shapira <nd1...@gmail.com> >> wrote: >> >> >> >> I have no choice. It's a workaround for a hardware bug. >> >> >> >> On Wed, Jan 30, 2013 at 11:05 AM, Anders Broman >> >> <anders.bro...@ericsson.com> wrote: >> >>> >> >>> Hi, >> >>> Those are the timestamps of packet arrival there should be no need to >> >>> change them from a dissector - sounds like a bad idea to me. >> >>> Regards >> >>> Anders >> >>> >> >>> ________________________________ >> >>> From: wireshark-dev-boun...@wireshark.org >> >>> [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Natalie >> Shapira >> >>> Sent: den 30 januari 2013 09:16 >> >>> To: wireshark-dev@wireshark.org >> >>> Subject: [Wireshark-dev] changing the time >> >>> >> >>> >> >>> Hi everybody, >> >>> >> >>> It's my first question so, nice to meet you! >> >>> >> >>> I'm writing new dissector (plugin). >> >>> I want to change the time of the packet. >> >>> I tried to change pinfo->fd->rel_ts.secs and pinfo->fd->rel_ts.nsecs. >> It >> >>> looks like I did it BUT, after sorting, not all packets are in the >> exact >> >>> place. >> >>> >> >>> Do you have an example, idea or any recommendation? >> >>> >> >>> Thanks, >> >>> Natalie. >> >>> >> >>> >> >>> >> ___________________________________________________________________________ >> >>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> >>> Archives: http://www.wireshark.org/lists/wireshark-dev >> >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >> >>> >> >>> mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe >> >> >> >> >> > >> > >> > >> ___________________________________________________________________________ >> > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> > Archives: http://www.wireshark.org/lists/wireshark-dev >> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >> > mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: http://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
