Announcement

Collapse
No announcement yet.

Wireshark - queries/filter/expression for nbns

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wireshark - queries/filter/expression for nbns

    I am using wireshark to sniff the WINS traffic that we have running on our newtwork in an effort to get away from using WINS.

    The base filter I am using to see just the WINS traffic (query with response)

    nbns.flags == 0x0100 or nbns.flags == 0x8580

    I was wondering if someone can let me know how to filter the resultant traffic to skip traffic for a particular set of hosts (hostnames that I know aka query for DC and mailserver)

    Thanks in advance for your help.

    G

  • #2
    Re: Wireshark - queries/filter/expression for nbns

    Hi,

    Slightly Re: You other post also
    What have you got against WINS?
    Please note that getting rid of WINS will generate more broadcast traffic in your network, so the result will be the opposite of what you are looking for, not to mention the possible name resolution issues.

    Cheers
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Wireshark - queries/filter/expression for nbns

      I also seem to remember a very knowledgeable MVP mention that WINS was used by Exchange 2007 in some manner. Will have to try and find the link and post it here.
      1 1 was a racehorse.
      2 2 was 1 2.
      1 1 1 1 race 1 day,
      2 2 1 1 2

      Comment


      • #4
        Re: Wireshark - queries/filter/expression for nbns

        Their are some cases you need Wins but I think that need for wins is dropping drastically
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Wireshark - queries/filter/expression for nbns

          If you have a properly functioning DNS infrastructure then dropping WINS will not appreciably increase broadcast traffic.

          Comment


          • #6
            Re: Wireshark - queries/filter/expression for nbns

            Originally posted by joeqwerty View Post
            If you have a properly functioning DNS infrastructure then dropping WINS will not appreciably increase broadcast traffic.
            It depends on what you mean by "appreciably increase"!!
            MS resolves names in two different ways depending on whether the name is a hostname or NetBIOS name.

            If NetBIOS over TCP/IP is enabled (NBT). Then these are few of the resolution methods used:

            If no WINS server is specified it uses the B-Node as follows:
            • NetBIOS name cache
            • NetBIOS b-node broadcast
            • lmhosts file
            • hosts file
            • DNS


            If however WINS is specified, it uses the H-Node as follows:
            • NetBIOS name cache
            • WINS (3 attempts)
            • NetBIOS b-node broadcast
            • lmhosts file
            • hosts file
            • DNS


            So if the Resolution method used is the B-Node then before any resolution attempts via the DNS server is made a Broadcast will be used (up to three times i think). If the broadcast doesn't successfully resolve the NetBIOS name then the other methods will be used as above Including DNS in the end.

            Sorry for going on too much about this The whole name resolution thing seems to be a bit of "Order through chaos" It would have been much easier if NetBIOS didn't exist at all wouldn't it?
            But unfortunately until SMB will cease to be used by MS and NetBIOS name resolutions will be fully handled by DNS, we'll have to cope with the extra bit of Broadcast traffic on the LAN.

            @glacieredlightning

            Please post the results of your traffic sniff pre and post WINS if you can and you might notice the increase in NBT packets.
            Also, don't forget that MS Exchange amongst others depend somehow in proper NetBIOS resolution.
            I am not quite sure to what extent Exchange 2007 has inherited this as Biggles77 mentioned but we'll probably get more on that when the link comes.
            In the mean time this one provides some insight into Pre 2007 exchange env.
            http://support.microsoft.com/?id=837391

            And, browsing via network places won't be functional either if that bothers you.

            Cheers
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment

            Working...
            X