Home page logo

wireshark logo Wireshark mailing list archives

Re: Seaching in the data pane would be useful ...
From: ronnie sahlberg <ronniesahlberg () gmail com>
Date: Fri, 9 Aug 2013 09:28:20 -0700

On Fri, Aug 9, 2013 at 8:52 AM, Christopher Maynard
<Christopher.Maynard () gtech com> wrote:
Richard Sharpe <realrichardsharpe ()    > writes:

I can across a capture yesterday where there were DNS queries for a
KDC in a Windows AD environment. The query returned 230 KDCs!

Searching for a particular one was hard.

It would be nice to have a right click menu item in either the details
pane or the data pane where you can search for a particular string (or
chars or hex equivalent) and have the string highlighted in the data
pane and the detail pane sync'd to that.

Isn't there a filter you can use, such as: dns.qry.name == "The KDC name"?

Alternatively, it seems you're referring to the Edit -> Find Packet (Ctrl+F)
functionality, combined with Edit -> Find Next (Ctrl+N) and/or Edit -> Find
Previous (Ctrl+B).  Is there something that feature doesn't provide that
you're looking for?

I think he means something like this:

If you take the dns.cap sample capture from the wiki and then
CTRL-F * Display filter  dns.resp.ns == "ns-ext.sth1.isc.org"
It will bring you to frame #29 but it will not auto-select the field
in that packet. It just brings you to the packet in question.

On the other hand, IF you CTRL-F * string/packet-bytes sth1  it will
bring you to packet #29 and also highlight the first field there for
these bytes.
(Now DNS is special so you can not string/packet-bytes search for the
full name since due to dns compression will mangle the strings. You
can search for individual components though. But it is still
unreliable, it will find something and highlight something but maybe
not what you want)

However, what does work and what probably is what Richard can use is:
CTRL-F String/Packet-Details  ns-ext.sth1.isc.org    i.e. the full dns
name. This will find the right packet and will also automatically
select/highlight the right row in the display tree.

Display filters are harder since they might not map to a single hf
field when they match  (a==1 && b==2    which of a or b should we
but we could special case CTRL-F Display-Filter so that IF the the
display filter consists of a single field then try to find and
highlight that specific field when jumping to the packet that matched.

thus CTRL-F Displayfilter  ip.addr==     would find the first
ip.addr field and highlight it
but  CTDL-F DisplayFilter ip.addr== && tcp   would not work and
would just jump to the matching packet, just like today

That should be possible and would improve usability. At least for the
case when searching for a single field which is likely the majority of
light-use searches.

ronnie sahlberg
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]