Wireshark mailing list archives

Re: tds question

From: János Löbb <janos.lobb () yale edu>
Date: Thu, 5 Jan 2012 10:54:03 -0500


On Jan 4, 2012, at 9:12 PM, Bill Meier wrote:

On 1/4/2012 11:07 AM, János Löbb wrote:

Hi,

I see here: http://www.wireshark.org/docs/dfref/t/tds.html

That there is a tds7.message as display filter from version 1.0.0 to
1.6.0. My version is 1.6.2 and I do not see this display filter when
I click on Expressions...

What filter should I use if I want to filter all messages containing
a specific word on the TDS data ?

Thanks ahead,



1. Poking around the Wireshark sources a bit, I see that 'tds7.message'
  is not actually a display filter field in Wireshark 1.6. It was last
  available in the 1.4 release.

  I don't know why the Display Filter Web page is incorrect.

  In any case, even in the earlier versions, that particular filter
  didn't actually do anything.  :)

2. The following brute-force display filter should work:
     tds contains "xxx" (where xxx is the searched for word).

  This filter searches the complete TDS payload of any
  TDS packet. Obviously you can add additional filters to restrict
  searching to only TDS packets from the server, etc.

  See http://wiki.wireshark.org/DisplayFilters for more examples.


  Edit ! Find would also work but is not as flexible.


Bill,

Thanks a lot.  In the meantime I also "fall over" on this brute force :-)   I played a little with:

tds contains "xxx"
data.data contains "xxx"
frame contains "xxx"
tcp.data contains "xxx"
etc...

just because there are cases where the actual info is not shown as tds.  

Looks like for my purpose the 'frame contains "xxx" and frame contains "yyy" ' type queries the more useful.  They are 
surprisingly fast - thanks WireShark developers.

Thanks again,

János


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

tds question János Löbb (Jan 04)
- Re: tds question Bill Meier (Jan 04)
  - Re: tds question János Löbb (Jan 05)
  - Re: tds question Gerald Combs (Jan 11)