This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am attempting to generate a list of netbios names and IP addresses from WINS replies.

I would like to find a way to either create custom columns in wireshark and / or get the textual output using tshark. I have not been able to include a slice (IE:frame[55:33]) in a display filter. My Second Stumbling block is that windows encodes (MS calls it compression) the hostname in the reply.

Any assistance with this would be greatly appreciated.

asked 23 Sep '13, 16:56

astrader's gravatar image

astrader
26336
accept rate: 0%

edited 24 Sep '13, 20:06

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


Unfortunately, as per my comment, there's really no way to do that. I'll look at fixing that for the next major release; if the fixes aren't too complicated (I don't expect them to be too complicated), it might be worth backporting them to the 1.10 branch, so 1.10.3 or some other future 1.10.x release also lets you do that.

permanent link

answered 24 Sep '13, 15:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

It's a bit more complicated - a NetBIOS name is typically 15 characters of name and one byte of "name type", so we'd need to think about what the right thing to do there is.

(24 Sep '13, 15:40) Guy Harris ♦♦

As far as MS is concerned NetBIOS names are definitely 15 characters with a 1 byte suffix. The suffixes are enumerated, e.g. here although that kb article is old so there may be newer values, so I would think two fields, one for the name and one for the suffix.

Are there any NetBIOS implementations out there that don't follow the MS path and use the full 16 characters for the name that might fall foul of the two fields suggestion?

(25 Sep '13, 02:05) grahamb ♦

Wireshark supports columns for every field. Find the field you want to display in the protocol tree, right click it and then select "Apply as Column".

I haven't looked at WINS in Wireshark lately as we don't use it in our environment, but if you can't get Wireshark do do what you need, then Network Monitor from MS should handle it.

permanent link

answered 24 Sep '13, 03:00

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Unfortunately, in 1.10.x and prior releases, there is no field for the NetBIOS names or IP addresses in NBNS packets, so he can't find the field in question.

Even more unfortunately, that's still true in the trunk, so, unless it's converted to use named fields, that will still be true in 1.12.x.

(24 Sep '13, 15:36) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×15
×12
×1

question asked: 23 Sep '13, 16:56

question was seen: 3,671 times

last updated: 25 Sep '13, 02:05

p​o​w​e​r​e​d by O​S​Q​A