Filtering based on time RRS feed

  • Question

  • Background

    I work on a team that routinely needs to run a network trace tool 24x7 until an issue occurs. To limit size of the files we currently only log to a single file of 500MB. We don't want to use chained files because we have not identified a way to limit the total size of all captures combined. 


    500MB capture files are slow to work with. 


    1. Is there a way to filter a capture file based on time span? For example, if I have a 500MB trace that runs from 5/5/10 00:00:00 through 5/7/10 12:00:00 but I only want the frames from 5/6/10 16:40:00 through 5/6/10 17:00:00 - what filter can I use (if any)?
    2. Is there a way to limit the total size of all captures specified? For example if I want to log  50 capture files of 10MB each and overwrite the the oldest log file once all files combined equal 500MB.

    Thursday, July 8, 2010 5:34 PM


  • You can filter on time, but you have convert the values to FileTime.  There are a few different ways you can figure out what the conversion is.

    1. If you use the UI, you can right click on the time "Time of Day" column and select add to display filter.  This will convert the time giving you the filter to use, for instance "FrameVariable.TimeOfDay <= 128189681050000000".  Then you can use NMCap to create a new trace once you've determing the start and stop times.
    2. You could also use a tool to convert, like http://silisoftware.com/tools/date.php, and type in the date "3/21/2007 4:28:24 PM" as text.  Then if you look at the resulting FileTime you'll see 128189825040000000.  Just keep in mind that this tool and most time conversions work on UTC time.  So that means you will have to convert the time in the trace to UTC by adjusting for your time zone.  So if you are in +5 hours, you'll have to subtract 5 hours first before using the tool.  To make things more complex, 3.3 and 3.4 traces are different.  Traces taken with 3.4 adjust the time automatically based on the time zone it came from where 3.3 just uses the local time where the trace was taken.  So if you are looking at a trace from another timezone with 3.4, you will have adjust based on your time zone.  But a trace from another timezone with 3.3 will have to be adjusted based on their time zone.

    BTW: Some simple c# code to do the conversion would be:

       class Program
            static void Main(string[] args)
                DateTime dt = new DateTime();
                dt = DateTime.Parse(args[0]);
                long ft = dt.ToFileTime();

    To run NMCap to split the file you would do something like:

    NMCap /inputcapture in.cap /capture FrameVariable.TimeOfDay >= 129231435802383316 AND FrameVariable.TimeOfDay <= 129231579800000000 /file out1.cap

    We do understand this isn't ideal and we do hope to address this moving forward.  Actually someone could use the NMAPI and c# to automate this.  I'd love to see somebody in the community create an open sourec project and I could certainly help if somebody was interested.


    • Proposed as answer by Paul E Long Friday, July 9, 2010 2:20 PM
    • Marked as answer by Paul E Long Friday, July 9, 2010 2:20 PM
    Friday, July 9, 2010 2:19 PM