I've got an application that is communicating with an Oracle database, it's logging is pretty crappy so the only way I can workout what SQL it is sending to our database is by packet sniffing for TNS.requests; I want to filter these packets by those that contain the name of particular ie on the existence of a paricular string in the packet. How can I do this?
Thanks.
Have you tried the "contains" or "matches" operators? For example,
tns.request and tns contains "Marshmallows"
or simply
frame matches "(?i)marshmallows"
The first example looks for TNS requests which contain the case-sensitive string "Marshmallows". The second example looks for "marshmallows" anywhere in any frame, ignoring case. ("contains" does simple string matching; "matches" lets you use PCRE modifiers).
Update: In Wireshark 2.6 and later "matches" is case-insensitive by default. You can use the "(?-i)" PCRE modifier to force case sensitivity.
There are several interpretations of your question:
You're using WireShark and want to do more sophisticated filtering to better analyze the data. in that case, read the docs. You can also program filters in Lua, if you need extra expressive power.
You want to filter those packets out; ie, an application-level firewall or NIDS. Check L7-filter for firewall/shaping, or Snort for NIDS (the latter can also use some Lua scripts, i think)
You wan to capture packets to log, create statistics or any other automated task. check tcpdump / libpcap and/or my own libpcap binding for Lua.
