Ask Your Question
0

How to capture UDP traffic and not NBNS traffic?

asked 2018-01-02 17:29:22 +0000

mzimmers gravatar image

updated 2018-01-02 18:53:31 +0000

Guy Harris gravatar image

Hi -

I'm sure this question has been asked and answered many times, but I can't find what I'm looking for.

I'm trying to apply filters so I only see traffic between two devices, and only when they're of UDP protocol. In the display filter, I use this:

(ip.addr == 192.168.70.20 || ip.src == 192.168.70.22)

and in Capture->Options, I've selected the (presupplied) udp filter. I'm still seeing traffic of other protocols, though. Can someone tell me what I'm doing wrong? Thanks.

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2018-01-02 18:51:59 +0000

Guy Harris gravatar image

The protocol I'm seeing that I don't wish to is NBNS.

NBNS runs atop UDP, on port 137, so a capture filter that captures only UDP traffic, and doesn't capture UDP traffic that's NBNS traffic, would be udp && !udp port 137.

edit flag offensive delete link more

Comments

Beautiful. That helps a lot. Thanks...I'd upvote you if I could.

mzimmers gravatar imagemzimmers ( 2018-01-02 18:56:52 +0000 )edit

@mzimmers If this is the correct answer for you, you should be able to click the checkmark indicating so.

Jaap gravatar imageJaap ( 2018-01-03 06:52:59 +0000 )edit

@Jaap: done, and thanks.

mzimmers gravatar imagemzimmers ( 2018-01-03 15:02:19 +0000 )edit
add a comment
0

answered 2018-01-02 17:39:34 +0000

csereno gravatar image

updated 2018-01-02 17:40:28 +0000

The pipes (||) are a logical "or" so your filter says anything to/from 192.168.70.20 or from 192.168.70.22. You will want to use two ampersands (&&).

(ip.addr == 192.168.70.20 && ip.src == 192.168.70.22)

This will only be one direction though (sourced from .22). You might want to use ip.addr for both statements to get bidirectional traffic.

(ip.addr == 192.168.70.20 && ip.addr == 192.168.70.22)

The UDP capture filter should limit it to only UDP packets. Are you sure you aren't just seeing the other protocols that rely on UDP for transmission, such as DNS?

edit flag offensive delete link more

Comments

Thanks for the response. The protocol I'm seeing that I don't wish to is NBNS. The communication between the two devices is socket-based; perhaps there's a way to filter based on the socket number or something?

mzimmers gravatar imagemzimmers ( 2018-01-02 18:20:12 +0000 )edit

Try this: (ip.addr == 192.168.70.20 && ip.addr == 192.168.70.22) && !nbns

csereno gravatar imagecsereno ( 2018-01-02 18:42:28 +0000 )edit

You can also filter on port number (socket) such as:

(ip.addr == 192.168.70.20 && ip.addr == 192.168.70.22) && tcp.port==##

Whatever that port number is in this case

csereno gravatar imagecsereno ( 2018-01-02 18:43:37 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-01-02 17:29:22 +0000

Seen: 24,725 times

Last updated: Jan 02 '18

Related questions

How can I edit or expand a protocol like `bitcoin`

Capture incoming packets from remote web server

Localhost capturing

How to filter out TCP retransmissions

My UDP packets aren't showing

Using tshark filters to extract only interesting traffic from 12GB trace

Capture Filters - SSL Handshake or HEX

Is it possible to test a capture filter with already captured traffic?

What is the udp.length display filter actually for?

How would I map this display filter to a capture filter?