Wireshark mailing list archives
Re: Seaching in the data pane would be useful ...
From: ronnie sahlberg <ronniesahlberg () gmail com>
Date: Fri, 9 Aug 2013 09:28:20 -0700
On Fri, Aug 9, 2013 at 8:52 AM, Christopher Maynard <Christopher.Maynard () gtech com> wrote:
Richard Sharpe <realrichardsharpe@...> writes:I can across a capture yesterday where there were DNS queries for a KDC in a Windows AD environment. The query returned 230 KDCs! Searching for a particular one was hard. It would be nice to have a right click menu item in either the details pane or the data pane where you can search for a particular string (or chars or hex equivalent) and have the string highlighted in the data pane and the detail pane sync'd to that.Isn't there a filter you can use, such as: dns.qry.name == "The KDC name"? Alternatively, it seems you're referring to the Edit -> Find Packet (Ctrl+F) functionality, combined with Edit -> Find Next (Ctrl+N) and/or Edit -> Find Previous (Ctrl+B). Is there something that feature doesn't provide that you're looking for?
I think he means something like this: If you take the dns.cap sample capture from the wiki and then CTRL-F * Display filter dns.resp.ns == "ns-ext.sth1.isc.org" It will bring you to frame #29 but it will not auto-select the field in that packet. It just brings you to the packet in question. On the other hand, IF you CTRL-F * string/packet-bytes sth1 it will bring you to packet #29 and also highlight the first field there for these bytes. (Now DNS is special so you can not string/packet-bytes search for the full name since due to dns compression will mangle the strings. You can search for individual components though. But it is still unreliable, it will find something and highlight something but maybe not what you want) However, what does work and what probably is what Richard can use is: CTRL-F String/Packet-Details ns-ext.sth1.isc.org i.e. the full dns name. This will find the right packet and will also automatically select/highlight the right row in the display tree. Display filters are harder since they might not map to a single hf field when they match (a==1 && b==2 which of a or b should we highlight?) but we could special case CTRL-F Display-Filter so that IF the the display filter consists of a single field then try to find and highlight that specific field when jumping to the packet that matched. thus CTRL-F Displayfilter ip.addr==1.2.3.4 would find the first ip.addr field and highlight it but CTDL-F DisplayFilter ip.addr==1.2.3.4 && tcp would not work and would just jump to the matching packet, just like today That should be possible and would improve usability. At least for the case when searching for a single field which is likely the majority of light-use searches. ronnie sahlberg ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Seaching in the data pane would be useful ... Richard Sharpe (Aug 09)
- Re: Seaching in the data pane would be useful ... Christopher Maynard (Aug 09)
- Re: Seaching in the data pane would be useful ... Richard Sharpe (Aug 09)
- Re: Seaching in the data pane would be useful ... ronnie sahlberg (Aug 09)
- Re: Seaching in the data pane would be useful ... Richard Sharpe (Aug 09)
- Re: Seaching in the data pane would be useful ... Christopher Maynard (Aug 09)
- Re: Seaching in the data pane would be useful ... Richard Sharpe (Aug 09)
- Re: Seaching in the data pane would be useful ... ronnie sahlberg (Aug 09)
- Re: Seaching in the data pane would be useful ... Christopher Maynard (Aug 09)
- Re: Seaching in the data pane would be useful ... Guy Harris (Aug 09)