Wireshark-users: Re: [Wireshark-users] display text representation of ldap.filter in tshark
From: Stephen Fisher <[email protected]>
Date: Sun, 17 Oct 2010 20:07:29 -0600
On Thu, Oct 14, 2010 at 03:47:43PM +0200, Alexander 'Leo' Bergolth wrote:

> Is there a way to display the text representation of an ldap 
> search-filter using tshark?
> 
> I tried -e ldap.filter but this is only a 32 bit filter element (only 
> the first filter element). Is there another display filter or a 
> function that displays a human readable version of the whole 
> search-filter?

The source code has a list of possible values for the ldap.filter 
number:

  { 0, "and" },
  { 1, "or" },
  { 2, "not" },
  { 3, "equalityMatch" },
  { 4, "substrings" },
  { 5, "greaterOrEqual" },
  { 6, "lessOrEqual" },
  { 7, "present" },
  { 8, "approxMatch" },
  { 9, "extensibleMatch" },

Are these values you're trying to display?  I don't think it's possible 
in tshark right now, although I thought I saw a request for that and 
possibly even work toward it not too long ago.  Wireshark displays 
those text strings in the custom columns now.