On Fri, Aug 9, 2013 at 9:30 AM, ronnie sahlberg <[email protected]> wrote: > On Fri, Aug 9, 2013 at 9:02 AM, Richard Sharpe > <[email protected]> wrote: >> On Fri, Aug 9, 2013 at 8:52 AM, Christopher Maynard >> <[email protected]> wrote: >>> Richard Sharpe <realrichardsharpe@...> writes: >>> >>>> I can across a capture yesterday where there were DNS queries for a >>>> KDC in a Windows AD environment. The query returned 230 KDCs! >>>> >>>> Searching for a particular one was hard. >>>> >>>> It would be nice to have a right click menu item in either the details >>>> pane or the data pane where you can search for a particular string (or >>>> chars or hex equivalent) and have the string highlighted in the data >>>> pane and the detail pane sync'd to that. >>>> >>> >>> Isn't there a filter you can use, such as: dns.qry.name == "The KDC name"? >>> >>> Alternatively, it seems you're referring to the Edit -> Find Packet (Ctrl+F) >>> functionality, combined with Edit -> Find Next (Ctrl+N) and/or Edit -> Find >>> Previous (Ctrl+B). Is there something that feature doesn't provide that >>> you're looking for? >> >> Sure, I can do the search, and I did, but the actual info I am >> interested in, like the priority, etc, is buried among 230 entries and >> I have to patiently scroll until I find it. >> >> That is hard to do. > > You can use > CTRL-F String/PacketDetails <text-to-match> > That should work for your use-case but it would probably be even > better if the normal "Displayfilter" search would do it too, where > possible.
OK, so that works in a limited sense. It finds the actual DNS query response for the name in question but does not find the other responses for the query on _kerberos._UDP.<realm> It's there in the responses, but not found for some reason. The response is also a re-assembled response because there is some 12942 bytes in it. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
