This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

NetBT traffic for server

0

Hello

We are looking at disabling Netbios over TCP/IP on some of our Windows 2008 application servers. Since we don't use WINS, the server will be sending broadcasts for name resolution as far as I understand.

What I'd like to do is capture Netbios over TCP traffic using Wireshark

Server IP: 192.168.20.5 / 24

Is it just a case of display filtering on 137?

Also, would wireshark be any help in comparing the number of broadcast packets within a certain period with NetBT disabled and enabled so we can see how much broadcast traffic we're reducing?

asked 03 Mar '13, 13:03

TonyRobbins1978's gravatar image

TonyRobbins1978
6224
accept rate: 0%


2 Answers:

1

Since we don't use WINS, the server will be sending broadcasts for name resolution as far as I understand.

For purely-NetBIOS-based services, if there are any, disabling NetBIOS-over-TCP would probably either completely disable the service or force it to use the NetBIOS Frame (NBF) protocol, which only works on the same LAN segment as the server. I don't even know whether Windows 2008 supports NBF; I don't think modern versions of Windows do, although I think some of them can run the NBF driver from older versions of Windows. Name resolution for NBF is broadcast-based, but doesn't run over IP.

For SMB/CIFS file service, disabling NetBIOS-over-TCP would still allow SMB to run directly over TCP on port 445. Name resolution for SMB-over-TCP would be done using DNS, which isn't broadcast-based. SMB/CIFS can also run over NBF; as indicated, NBF name resolution is broadcast-based.

Note that "NetBIOS-over-TCP" really means "NetBIOS-over-IP" or "NetBIOS-over-TCP-and-UDP", as UDP is used for name resolution and the NetBIOS datagram services. If you want to see whether there is any NetBIOS-over-TCP name resolution happening after you disable NetBIOS-over-TCP on the server, look for packets going to or from UDP port 137; you can use a capture filter of "udp port 137" for that (the display filter would be "nbns", for "NetBIOS Name Service").

If you want to check for NBF traffic, then, at least with sufficiently recent versions of libpcap/WinPcap being used by Wireshark, a capture filter of "netbeui" (or a display filter of "netbios") would work. (Yes, both NetBEUI and NetBIOS are the wrong terms for NBF, but that's what libpcap and Wireshark are using.)

A capture filter of "broadcast" will check for all LAN broadcasts. If you only want to find out how much NetBIOS-over-TCP broadcast name resolution is occurring, try "broadcast and udp port 137" when capturing.

And, yes, you should be able to use Wireshark to see how much NetBIOS-over-TCP broadcast name resolution is occurring; just compare the results of capturing with "broadcast and udp port 137" with NetBT enabled and with NetBT disabled.

(For NBF and NetBT broadcast name resolution, the capture filter would be "broadcast and (netbeui or udp port 137)".)

answered 03 Mar '13, 17:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you, Guy.

As regards the packet count, is there a way in WS to count how many broadcast packets were sent out from the server for NBNS (without having to manually count)?

(03 Mar '13, 18:46) TonyRobbins1978

The status bar (at the bottom of the window) has 3 sections; the middle section has the number of packets in the capture and the number of those packets that are being displayed. If you used the capture filter, the number of packets in the capture would be the number of NBNS broadcasts; if you used the display filter, the number of displayed packets in the capture would be the number of NBNS broadcasts.

(03 Mar '13, 22:45) Guy Harris ♦♦

0

Using the display filters mentioned above or display filter eth.dst==ff:ff:ff:ff:ff:ff && udp port 137 and click on the statistics --> Summary menu. This will give you min/max/avg per second stats for all the NBT broadcast traffic displayed. You can also add filter criteria to see stats for a specific host (e.g., ip.addr==10.10.10.10 && (eth.dst==ff:ff:ff:ff:ff:ff && udp port 137).

answered 02 Jul '13, 09:23

mbwalker's gravatar image

mbwalker
1112
accept rate: 0%