On Fri, Aug 9, 2013 at 9:30 AM, ronnie sahlberg
<ronniesahlberg@xxxxxxxxx> wrote:
> On Fri, Aug 9, 2013 at 9:02 AM, Richard Sharpe
> <realrichardsharpe@xxxxxxxxx> wrote:
>> On Fri, Aug 9, 2013 at 8:52 AM, Christopher Maynard
>> <Christopher.Maynard@xxxxxxxxx> wrote:
>>> Richard Sharpe <realrichardsharpe@...> writes:
>>>
>>>> I can across a capture yesterday where there were DNS queries for a
>>>> KDC in a Windows AD environment. The query returned 230 KDCs!
>>>>
>>>> Searching for a particular one was hard.
>>>>
>>>> It would be nice to have a right click menu item in either the details
>>>> pane or the data pane where you can search for a particular string (or
>>>> chars or hex equivalent) and have the string highlighted in the data
>>>> pane and the detail pane sync'd to that.
>>>>
>>>
>>> Isn't there a filter you can use, such as: dns.qry.name == "The KDC name"?
>>>
>>> Alternatively, it seems you're referring to the Edit -> Find Packet (Ctrl+F)
>>> functionality, combined with Edit -> Find Next (Ctrl+N) and/or Edit -> Find
>>> Previous (Ctrl+B). Is there something that feature doesn't provide that
>>> you're looking for?
>>
>> Sure, I can do the search, and I did, but the actual info I am
>> interested in, like the priority, etc, is buried among 230 entries and
>> I have to patiently scroll until I find it.
>>
>> That is hard to do.
>
> You can use
> CTRL-F String/PacketDetails <text-to-match>
> That should work for your use-case but it would probably be even
> better if the normal "Displayfilter" search would do it too, where
> possible.
OK, so that works in a limited sense. It finds the actual DNS query
response for the name in question but does not find the other
responses for the query on _kerberos._UDP.<realm>
It's there in the responses, but not found for some reason. The
response is also a re-assembled response because there is some 12942
bytes in it.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
