Wireshark · Ethereal-users: Re: [Ethereal-users] Filtering based on netbios/netbeui

Ethereal-users: Re: [Ethereal-users] Filtering based on netbios/netbeui

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Thu, 6 Dec 2001 14:13:59 -0800 (PST)

> I have two win2k Professional machines and one runs
> ethereal and is being attempted with windows logons by
> the other.  I have set ethereal to capture only
> netlogon and netbios protocols on the Edit-Protocols
> menu

That's *not* what the "Edit->Protocols" dialog box does.

It doesn't control what protocols Ethereal *captures*, it controls what
protocols Ethereal *analyzes* in packets it's already captured.

And if you've told it to analyze only those protocols, you've told it
not to analyze the Ethernet protocol, for example; unfortunately, as
you're capturing on Ethernet, and as Ethereal can't determine what type
of Ethernet packet a packet is if it doesn't analyze the Ethernet
protocol, it can't determine whether a packet is a NetBIOS protocol
(whether it's NetBIOS-over-IPX, or NetBIOS-over-TCP, or
NetBIOS-over-802.2, or whatever).

There *is* no capture filter option to capture only Netlogon packets
(the capabilities of the code in the WinPcap driver in the kernel - and
in the BPF code in the kernels of several versions of UNIX, and in
libpcap - are somewhat limited, so that you can put it into the kernel
and thus avoid having to copy every single packet received to the
program in user mode).

If you want to capture only NetBIOS packets that might contain Netlogon
messages (although it may capture other packets as well), then:

	if you're running only NetBIOS-over-TCP, you should use a filter
	of

		udp port 138 or tcp port 139

	(I forget whether Netlogon uses the datagram or session service,
	so I'm setting it up to capture both, which may capture more
	data than you want, but so it goes);

	if you're running NBF or NetBEUI or whatever the
	NetBIOS-over-802.2 stuff is called these days, the filter would
	be more complicated if you're running WinPcap 2.2 (as that was
	based on libpcap 0.5, which didn't support "netbeui" as a
	filter), and I don't remember what it'd be - if you run the
	WinPcap 2.3 beta, however, a filter of

		netbeui

	should work;

	if you're running both, you could do

		udp port 138 or tcp port 139 or netbeui

	if you're using WinPcap 2.3 beta (or replace "netbeui" with
	whatever the filter would be for older versions of libpcap if
	you're using WinPcap 2.2).

Then you should be able to use the display filter in question *IF* you
don't turn off everything but NetBIOS and Netlogon in "Edit->Protocols"
(just leave "Edit->Protocols" alone).

References:
- Re: [Ethereal-users] Filtering based on netbios/netbeui
  - From: bong sabolboro

Prev by Date: Re: [Ethereal-users] Filtering based on netbios/netbeui
Next by Date: [Ethereal-users] Re:
Previous by thread: Re: [Ethereal-users] Filtering based on netbios/netbeui
Next by thread: [Ethereal-users] Random Crashes - No Debug Info
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$