Filters that I sometimes use.
tcp.flags.syn==1 && tcp.flags.ack==0 — Every time a TCP connection is initiated.drda.sqlstatement — only show packets that include the text of an SQL query drda.sqlstatement matches r"^\s*(insert|update|delete)"To get just a list of the SQL queries included in a .pcap file, run this at the command line:
tshark -2 -R 'drda.sqlstatement' -Tfields -e 'drda.sqlstatement' -E "aggregator=$( echo -en \\005 )" -r MY_FILE.pcap | sed 's/\x05/\n/g'
(the 'aggregator' and 'sed' gibberish is to work around this bug)
SQL parameters aren't displayed here, only the '?' are displayed. Tshark has a -T json mode (also consider pdml) that provides Wireshark's dissected information in a computer-readable format that a Perl script could ingest. This should allow a Perl script to better display both the SQL queries, as well as any parameters that get used.
Incidental information: If you want to highlight just the "FROM" section of each SQL query, use this search within Vim: /\vfrom.*( where| order)@=