I need to extract packets within certain time ranges from a large pcap. And I found editcap's -A and -B option a perfect fit for this task except my target time ranges are in epoch time and -A/B requires time in format YYYY-MM-DD HH:MM:SS.
My question is when I convert epoch time to YYYY-MM-DD HH:MM:SS, what time zone should I use? (I am not sure if this is relevant but the large pcap I use is a merge of smaller pcaps captured from differnt time zones).
I tried tshark which allow filtering based on epoch time (frame.time_epoch>=X) but tshark seems to be resouce expensive and get constantly killed by the ubuntu server I used.
Will appreciate any help!
Use your system's time.
100% correct. The time is parsed and then fed to a routine (mtkime()) that converts a year/month/day/hour/minute/second value, in local time in the machine's timezone, to POSIX time ("Epoch time", where the "Epoch" is the UN*X/POSIX Epoch of 1970-01-01 00:00:00 UTC).
am I right that the capture timstamps are stored as epoch time in pcap internally
Yes.
and thus once the system time I feed into editcap get converted into epoch time, editcap can extract the right packets no matter which time zone the packets are captured from?
Yes.