This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Display filter for nbns query type

0

How can I filter NetBIOS frames on hostnames or query types or names?

I am looking for something elegant like dns.qry.name.

Right now I using a cludge like "udp.port == 137 and frame[88:2] == 00:20" which is not nice when working with VLANs.

Any hint is appreciated.

asked 15 Mar '11, 17:43

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

edited 15 Mar '11, 17:46


One Answer:

3

nbns.flags.opcode == {the query type} if you want to look for particular NBNS packet types. You can either use the numerical value of the field, e.g. 0 of a query, 5 for a registration, 6 for a release, 7 for wait for acknowledgement, 8 for refresh, 9 for alternate refresh, and 15 for multi-homed registration, or you can put the descriptive name in quotes, e.g. "Name query", "Registration", "Release", etc..

Unfortunately, the NBNS dissector currently doesn't have named fields for the names in packets, so you can't filter on them except by looking at raw packet data; however, try "nbns[offset:2] == 00:20", where "offset" is the offset from the beginning of the NBNS header, instead of "frame[88:2] == 00:20" - that should at least fix the VLAN issue.

answered 15 Mar '11, 18:02

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%