[Dragos Ruiu <dr@xxxxxxx>]

On Wednesday 27 June 2001 06:58, Guy Harris wrote:
> On Wed, Jun 27, 2001 at 08:54:10AM +0200, emu@xxxxxxxxxxxxx wrote:
> > I'm trying to find some host names.
> > I can see them in the info field.
>
> Unfortunately, Ethereal doesn't currently have any mechanism to allow
> you to search for packets where certain text appears in the Info column;
> that's why neither you nor anybody else found it.
>

Packet signatures sound like a job for snort (www.snort.org)...

30 second snort tutorial... 

check out the content keyword and log rules i.e. a rule like:

log any any <> any any (content: "fqdn.host.net")
^type
     ^sip ^sport  ^dip ^dport  ^keywords

run snort with a rule in a rules file like the above...
make a directory for snort to log to: mkdir ./log

tell snort to use that rule file (-c rulefile)
tell snort to log to your directory (-l ./log)
tell snort to read from a file (-r filename)
tell snort log to a tcpdump binary file (-b)

e.g snort -c rulefile -l ./log -r filename -b

and then load the resulting ./log/snort.log file (default filename) into 
ethereal for full dns decodes....

ngrep from nmrc might do the job too but I'm familiar with snort...

cheers,
--dr