Hi, new to Wireshark and eager to learn more about it,but I got into it for a specific reason. Trying to learn on my feet but so much to take in, so I thought I would ask the experts for some help and guidance. First Part. I am wanting to monitor a particular IP address on our network for NetBIOS traffic. What would be the best filters to use for this. Second Part: Same as above but to scan a range of IP's. I want to be able to run the scan. Then disable NetBIOS over TCP/IP. Run a second scan and show the results between the two. Would really appreciate some guidance on this. Thanks all asked 27 May '16, 23:59  d95gas |
One Answer:
First you need to be sure about your capture setup to make sure you get to see the network traffic in the first place. Second you can apply a capture filter to (in real time) filter out all IP traffic from a single IP or subnet Up to now you limited the traffic to the relevant addresses, now you need to filter for the protocol. You can either filter on the port this traffic usually flows through (that can be used in a capture filter as well), or be used as a display filter (for limiting what's to be displayed). Since display filters have full access to the dissected protocols, these can also be for the NetBIOS protocol itself. answered 28 May '16, 13:29  Jaap ♦ |
And NetBIOS-over-TCP traffic will be traffic to or from ports 137, 138, and 139 - and if you also include SMB-over-TCP, that's port 445. So you can use the
portkeyword in a capture filter to limit the capture to those ports.Many thanks for response, exactly the information I was looking for..... I shall go away and do some more testing on my home LAN, see what interesting info I can see.
Many thanks
Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.