This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I filter NetBIOS frames on hostnames or query types or names?

I am looking for something elegant like dns.qry.name.

Right now I using a cludge like "udp.port == 137 and frame[88:2] == 00:20" which is not nice when working with VLANs.

Any hint is appreciated.

asked 15 Mar '11, 17:43

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

edited 15 Mar '11, 17:46


nbns.flags.opcode == {the query type} if you want to look for particular NBNS packet types. You can either use the numerical value of the field, e.g. 0 of a query, 5 for a registration, 6 for a release, 7 for wait for acknowledgement, 8 for refresh, 9 for alternate refresh, and 15 for multi-homed registration, or you can put the descriptive name in quotes, e.g. "Name query", "Registration", "Release", etc..

Unfortunately, the NBNS dissector currently doesn't have named fields for the names in packets, so you can't filter on them except by looking at raw packet data; however, try "nbns[offset:2] == 00:20", where "offset" is the offset from the beginning of the NBNS header, instead of "frame[88:2] == 00:20" - that should at least fix the VLAN issue.

permanent link

answered 15 Mar '11, 18:02

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×15

question asked: 15 Mar '11, 17:43

question was seen: 9,373 times

last updated: 15 Mar '11, 18:02

p​o​w​e​r​e​d by O​S​Q​A