I am attempting to generate a list of netbios names and IP addresses from WINS replies. I would like to find a way to either create custom columns in wireshark and / or get the textual output using tshark. I have not been able to include a slice (IE:frame[55:33]) in a display filter. My Second Stumbling block is that windows encodes (MS calls it compression) the hostname in the reply. Any assistance with this would be greatly appreciated. asked 23 Sep '13, 16:56 astrader edited 24 Sep '13, 20:06 cmaynard ♦♦ |
2 Answers:
Unfortunately, as per my comment, there's really no way to do that. I'll look at fixing that for the next major release; if the fixes aren't too complicated (I don't expect them to be too complicated), it might be worth backporting them to the 1.10 branch, so 1.10.3 or some other future 1.10.x release also lets you do that. answered 24 Sep '13, 15:37 Guy Harris ♦♦ |
Wireshark supports columns for every field. Find the field you want to display in the protocol tree, right click it and then select "Apply as Column". I haven't looked at WINS in Wireshark lately as we don't use it in our environment, but if you can't get Wireshark do do what you need, then Network Monitor from MS should handle it. answered 24 Sep '13, 03:00 grahamb ♦ Unfortunately, in 1.10.x and prior releases, there is no field for the NetBIOS names or IP addresses in NBNS packets, so he can't find the field in question. Even more unfortunately, that's still true in the trunk, so, unless it's converted to use named fields, that will still be true in 1.12.x. (24 Sep '13, 15:36) Guy Harris ♦♦ |
It's a bit more complicated - a NetBIOS name is typically 15 characters of name and one byte of "name type", so we'd need to think about what the right thing to do there is.
As far as MS is concerned NetBIOS names are definitely 15 characters with a 1 byte suffix. The suffixes are enumerated, e.g. here although that kb article is old so there may be newer values, so I would think two fields, one for the name and one for the suffix.
Are there any NetBIOS implementations out there that don't follow the MS path and use the full 16 characters for the name that might fall foul of the two fields suggestion?