Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Seaching in the data pane would be useful ...
From: Richard Sharpe <realrichardsharpe () gmail com>
Date: Fri, 9 Aug 2013 09:42:14 -0700

On Fri, Aug 9, 2013 at 9:30 AM, ronnie sahlberg
<ronniesahlberg () gmail com> wrote:
On Fri, Aug 9, 2013 at 9:02 AM, Richard Sharpe
<realrichardsharpe () gmail com> wrote:
On Fri, Aug 9, 2013 at 8:52 AM, Christopher Maynard
<Christopher.Maynard () gtech com> wrote:
Richard Sharpe <realrichardsharpe ()    > writes:

I can across a capture yesterday where there were DNS queries for a
KDC in a Windows AD environment. The query returned 230 KDCs!

Searching for a particular one was hard.

It would be nice to have a right click menu item in either the details
pane or the data pane where you can search for a particular string (or
chars or hex equivalent) and have the string highlighted in the data
pane and the detail pane sync'd to that.


Isn't there a filter you can use, such as: dns.qry.name == "The KDC name"?

Alternatively, it seems you're referring to the Edit -> Find Packet (Ctrl+F)
functionality, combined with Edit -> Find Next (Ctrl+N) and/or Edit -> Find
Previous (Ctrl+B).  Is there something that feature doesn't provide that
you're looking for?

Sure, I can do the search, and I did, but the actual info I am
interested in, like the priority, etc, is buried among 230 entries and
I have to patiently scroll until I find it.

That is hard to do.

You can use
CTRL-F String/PacketDetails <text-to-match>
That should work for your use-case    but it would probably be even
better if the normal "Displayfilter" search would do it too, where
possible.

OK, so that works in a limited sense. It finds the actual DNS query
response for the name in question but does not find the other
responses for the query on _kerberos._UDP.<realm>

It's there in the responses, but not found for some reason. The
response is also a re-assembled response because there is some 12942
bytes in it.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]