I now have some more information on the problems with the display of
source/destination with
NetBIOS protocols.
I have a test coax LAN with 1 x Linux box with Samba (name=Linux), 1 x WinME
box (name=PC4),
1 x Win95A (name=Laptop), 1 x Win 3.11 (name=PC3), 2 x DOS + MS Add-on for
DOS
(names=PC1 and EXE1).
I invoke Ethereal packet capture the following way -
1. Start Ethereal from Windows Explorer.
2. Edit->Protocols->NetBIOS->Apply->OK
3. Capture->Start->Update list of packets in real time->Automatic Scrolling
in live capture->
Enable name resolution->OK.
Packets are then captured and displayed.
In most cases the display is like this -
No Time Source Destination Protocol Info
------------------------------------------------------------------
1 0.000000 02:60:8c:0a:3c:02 00:00:eb:c0:91:ea LLC I.(N)=30,N(S)=42,DSAP
NetBIOS Individual, SSAP, NetBIOS
301 80.227990 00:00:e8:c0:91:ea 02:60:8c:0a:3c:d2 NetBIOS Session Alive
As you can see, only the Ethernet addresses are displayed for Source and
Destination.
However about once a day and after several hundred tries (yes, I am
persistent) the display changes
and the Source and Destination are displayed as the actual machine names,
e.g -
No Time Source Destination Protocol Info
------------------------------------------------------
206 59.278546 LAPTOP LINUX TCP 1044>nbsession[SYN]Seq1221868490Ack......
244 65.759964 LAPTOP LINUX SMB TRANS2_FIND_NEXT2 Request
245 65.767470 LINUX LAPTOP SMB TRANS2_FIND_NEXT2 Response
302 85.138240 PC3 PC4 LLC etc.
405 100.794385 PC3 LINUX LLC
plus all combinations of the names of the non-DOS machines.
Now the translated names are displayed only for the Linux, Win98ME, Win95A,
and Win3.11 machines.
Only the Ethernet address are still displayed for the boxes with DOS+MS Add
Ons for DOS. We are
very satisfied with this form of display and it suits our needs perfectly.
I can capture the displays in a file, but when I read them back all Sources
and Destinations are in the
Ethernet format, and not in the translated format, so it is no use trying to
send you the capture files..
Once in the name translation mode, Ethereal continues to translate Source
and Destination until the next
time I shut Ethereal down and restart it, at which time the display reverts
to the Ethernet format.
It seems to be completely random as to which form of display that Ethereal
will use. In 3 days of testing
during which Ethereal was started many hundreds of times, Ethereal has only
come up in the translation
mode 3 times.
There has been no changes in any of the systems, they have all been
dedicated to the testing of Ethereal.
There has been no changes in any files on any of the systems. None of the
machines have been turned
off during the duration of the test. The only changes of any kind at all has
been the saving of the Ethereal
display files.
At the moment we are only interested in the tracking of NetBIOS packets. We
use NetBIOS for inter-
machine communication from the DOS boxes to the Windows boxes.
QUESTION:-
=========
Can anyone please explain the random functionality of Ethereal this way, or
can anyone please tell me how
we can make Ethereal come up in the translation mode eevery time?
Doug.