How to write capture filter with offset setting?
In Wireshark 4.0.5 inside DRDA protocol I would like to capture only DRDA.SQLSTATEMENT packets.
I have set capture filter tcp dst port 60127 to only capture traffic to specific port. But still there is so many network traffic it easily gets to few gigabytes in few minutes. I would like to filter even more.
To reduce pcapng file I need to add additional capture filter.
I have searched the web and I see for e.g. to get only 443 port I can write: tcp[2:2] = 443 and this works for tests I did. This capture filter starts at TCP segment, offsets 2 bytes (first parameter) and reads 2 bytes (second parameter). I need to write something similar for my example.
To get to my DRDA sample
I have captured DRDA traffic and set display filter: drda.sqlstatement. I have clicked on TCP on Packet Details and I need to get to 24:14 bytes (red rectangle).
I wrote capture filter: tcp[260:2] = 9236 and start capturing traffic and reproduce the SQL statement. But nothing gets captured.
How to write correct capture filter to only display packets SQLSTT?
Thanks