Pcap files and sed
Tshark can produce output that is suitable for text2pcap tool. Here is an example how to format tshark output using sed and preserve packet arrival time. tshark.exe -r test.pcap -V -x -Y "frame.number <= 1" -T text | sed -n -e "/^\( Arrival Time\)\|^\(00\)/p" | sed -e "s/^ Arrival Time\: \([a-zA-Z]\{3\}[0-9\,\.\:\ ]\{5\}\)\([0-9\,\.\:\ ]*\).*/\n\1_\2/" The output: Jan 4, _2021 15:21:00.327645000 0000 00 06 33 01 23 67 06 0a 00 25 a8 82 69 00 00 07 ..3.#g...%..i... 0010 f7 8e 89 be d6 40 20 ee be af 26 64 a1 02 01 16 .....@ ...&d.... 0020 1a 7f 4c 00 02 15 b9 40 7f 30 f5 f8 46 6e af f9 ..L....@.0..Fn.. 0030 25 55 6b 57 fe 2d 64 85 f5 64 %UkW.-d..d Note that year must be prefixed with _ to allow proper interpretation by text2pcap tool: text2pcap -t "%b %d, _%Y %H:%M:%S." - test_pext2pcap.pcap -l 272 Now we can use sed to manipulate packet contents between tshark and text2pcap: tshark ... | sed ... ...