Thanks for your reply,
i'll try to explain my problem better.
I'm trying to log all netbios service name registration: as you have
suggested, i've filtered dns traffic on 137/udp port and used a filter for
a specific opcode (Netbios_registration == 5).
In this way, i'm able to log all netbios registrations, but i'm not able to
discern a group name registration from an unique name registration.
Using wireshark, i find this information in an additional record that i
can't see in bro.
For example, using this event
event dns_request (c:connection, msg: dns_msg, query: string, qtype: count,
I can see the presence of an additional record in the packet (msg$num_addl
=1), but i can't see its value.
How can i do in Bro?
2014-10-23 15:52 GMT+02:00 Seth Hall <seth(a)icir.org>rg>:
On Oct 23, 2014, at 8:16 AM, Vito Logrillo <vitologrillo(a)gmail.com> wrote:
How can i filter netbios name service
It all shows up in dns.log and you are given access to it through the
various DNS events. Could you describe what you are trying to accomplish?
Providing a packet capture and describing what you want to get out of it
would be the most useful.
International Computer Science Institute
(Bro) because everyone has a network