This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, new to Wireshark and eager to learn more about it,but I got into it for a specific reason. Trying to learn on my feet but so much to take in, so I thought I would ask the experts for some help and guidance.

First Part. I am wanting to monitor a particular IP address on our network for NetBIOS traffic. What would be the best filters to use for this.

Second Part: Same as above but to scan a range of IP's.

I want to be able to run the scan. Then disable NetBIOS over TCP/IP. Run a second scan and show the results between the two.

Would really appreciate some guidance on this.

Thanks all

asked 27 May '16, 23:59

d95gas's gravatar image

d95gas
6334
accept rate: 0%


First you need to be sure about your capture setup to make sure you get to see the network traffic in the first place.

Second you can apply a capture filter to (in real time) filter out all IP traffic from a single IP or subnet

Up to now you limited the traffic to the relevant addresses, now you need to filter for the protocol. You can either filter on the port this traffic usually flows through (that can be used in a capture filter as well), or be used as a display filter (for limiting what's to be displayed). Since display filters have full access to the dissected protocols, these can also be for the NetBIOS protocol itself.

permanent link

answered 28 May '16, 13:29

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

And NetBIOS-over-TCP traffic will be traffic to or from ports 137, 138, and 139 - and if you also include SMB-over-TCP, that's port 445. So you can use the port keyword in a capture filter to limit the capture to those ports.

(28 May '16, 23:46) Guy Harris ♦♦

Many thanks for response, exactly the information I was looking for..... I shall go away and do some more testing on my home LAN, see what interesting info I can see.

Many thanks

(03 Jun '16, 08:24) d95gas

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(03 Jun '16, 09:13) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×12

question asked: 27 May '16, 23:59

question was seen: 2,637 times

last updated: 03 Jun '16, 09:13

p​o​w​e​r​e​d by O​S​Q​A