How to capture UDP traffic and not NBNS traffic?

asked 2018-01-02

updated 2018-01-02

Hi -

I'm sure this question has been asked and answered many times, but I can't find what I'm looking for.

I'm trying to apply filters so I only see traffic between two devices, and only when they're of UDP protocol. In the display filter, I use this:

(ip.addr == || ip.src ==

and in Capture->Options, I've selected the (presupplied) udp filter. I'm still seeing traffic of other protocols, though. Can someone tell me what I'm doing wrong? Thanks.

2 Answers

answered 2018-01-02

The protocol I'm seeing that I don't wish to is NBNS.

NBNS runs atop UDP, on port 137, so a capture filter that captures only UDP traffic, and doesn't capture UDP traffic that's NBNS traffic, would be udp && !udp port 137.

Beautiful. That helps a lot. Thanks...I'd upvote you if I could.

@mzimmers If this is the correct answer for you, you should be able to click the checkmark indicating so.

@Jaap: done, and thanks.

answered 2018-01-02

The pipes (||) are a logical "or" so your filter says anything to/from or from You will want to use two ampersands (&&).

(ip.addr == && ip.src ==

This will only be one direction though (sourced from .22). You might want to use ip.addr for both statements to get bidirectional traffic.

(ip.addr == && ip.addr ==

The UDP capture filter should limit it to only UDP packets. Are you sure you aren't just seeing the other protocols that rely on UDP for transmission, such as DNS?

Thanks for the response. The protocol I'm seeing that I don't wish to is NBNS. The communication between the two devices is socket-based; perhaps there's a way to filter based on the socket number or something?

Try this: (ip.addr == && ip.addr == && !nbns

You can also filter on port number (socket) such as:

(ip.addr == && ip.addr == && tcp.port==##

Whatever that port number is in this case

Asked: 2018-01-02

Seen: 21,084 times

Last updated: Jan 02 '18