Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] tds question

From: János Löbb <janos.lobb@xxxxxxxx>
Date: Thu, 5 Jan 2012 10:54:03 -0500
On Jan 4, 2012, at 9:12 PM, Bill Meier wrote:

> On 1/4/2012 11:07 AM, János Löbb wrote:
>> Hi,
>> 
>> I see here: http://www.wireshark.org/docs/dfref/t/tds.html
>> 
>> That there is a tds7.message as display filter from version 1.0.0 to
>> 1.6.0. My version is 1.6.2 and I do not see this display filter when
>> I click on Expressions...
>> 
>> What filter should I use if I want to filter all messages containing
>> a specific word on the TDS data ?
>> 
>> Thanks ahead,
>> 
> 
> 
> 1. Poking around the Wireshark sources a bit, I see that 'tds7.message'
>   is not actually a display filter field in Wireshark 1.6. It was last
>   available in the 1.4 release.
> 
>   I don't know why the Display Filter Web page is incorrect.
> 
>   In any case, even in the earlier versions, that particular filter
>   didn't actually do anything.  :)
> 
> 2. The following brute-force display filter should work:
>      tds contains "xxx" (where xxx is the searched for word).
> 
>   This filter searches the complete TDS payload of any
>   TDS packet. Obviously you can add additional filters to restrict
>   searching to only TDS packets from the server, etc.
> 
>   See http://wiki.wireshark.org/DisplayFilters for more examples.
> 
> 
>   Edit ! Find would also work but is not as flexible.
> 

Bill,

Thanks a lot.  In the meantime I also "fall over" on this brute force :-)   I played a little with:

tds contains "xxx"
data.data contains "xxx"
frame contains "xxx"
tcp.data contains "xxx"
etc...

just because there are cases where the actual info is not shown as tds.  

Looks like for my purpose the 'frame contains "xxx" and frame contains "yyy" ' type queries the more useful.  They are surprisingly fast - thanks WireShark developers.

Thanks again,

János