 | Understanding NetBIOS |
| NetBIOS Features |
| NetBIOS Host Names |
| NetBIOS Functional Processes |
| NetBIOS Over TCP/IP |
| Using LMHOSTS file |
| NBTSTAT Utility |
You may have heard that NetBIOS is the same thing as NetBEUI, which it is not, as you will discover as you read this chapter. You may wonder what a chapter on NetBIOS is doing in a book about TCP/IP. When you install TCP/IP on Windows NT, you automatically get NetBIOS; there is no separating the two.
For the purposes of this chapter and the Internetworking with Microsoft TCP/IP section of the exam, you should refer to this connectivity as NetBIOS over TCP/IP, or NBT for short. NetBIOS name resolution refers to the process of converting NetBIOS names to TCP/IP addresses. As a Microsoft Certified Systems Engineer you will most assuredly be called on to plan, install, configure, manage, monitor, optimize, and troubleshoot NetBIOS host name resolution in various Microsoft networking situations.
In the working world you will hear a lot of myths and rumors about what NetBIOS actually is and what it does for networking. The first section of this chapter contains some definitions, background material, and concepts about NetBIOS that you need to know. The next section explains how NetBIOS runs over TCP/IP using the TCP and UDP protocols. Next you will learn that NetBIOS host names are composed of 15 characters plus a special byte. The fourth section covers the three NetBIOS functional processes: Name Registration, Name Discovery, and Name Release. The next section explains the name resolution methods. Finally, the last two sections detail how to use the LMHOSTS file and NBTSTAT command.
NetBIOS is not a protocol or protocol stack. It is an interface that software can use and is commonly called an application programming interface (API). NetBIOS is the acronym for Network Basic Input/Output System. Host names are used to connect two NetBIOS computers together. Since NetBIOS is not a transport protocol, it does not directly support routing but depends on one of three transport protocols it can run on Windows NT: TCP/IP, NWLink IPX/SPX, or NetBEUI. Since TCP/IP and NWLink IPX/SPX are both routable protocols, NetBIOS information can be sent across routers when it is running on one or both of these protocols. NetBEUI is not a routable protocol; therefore any NetBIOS packets sent over NetBEUI cannot be sent past routers.
NetBIOS was first implemented for IBM in 1983 for its early PC network. It has since been adopted by Microsoft and used in DOS, Windows for Workgroups, Windows 95, and Windows NT operating systems for file and printer sharing. It has been used for network communications by IBM, DEC, Samba, and so many other situations that it has become a de facto industry standard. (A de facto standard is usually initially developed or owned by one entity but so widely used in the industry that it becomes a standard.) TCP/IP has become an industry standard protocol because of its widespread use on the Internet, but it is a de jure standard because it was developed openly by many different groups and entities.
No "official" standard exists for NetBIOS services. The IBM PC-network version is usually used as a reference point for new implementations of NetBIOS. This version is described in the IBM document 6322916, "Technical Reference PC Network.". There are, however, official standards for using NetBIOS over TCP/IP. They can be found under the following RFCs in many places on the Internet:
| RFC 1001: Protocol Standard for a NetBIOS Service on a TCP/UDP TransportT: Concepts and Methods |
| RFC 1002: Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Detailed Specifications |
| RFC 1088: A Standard for the Transmission of IP Datagrams over NetBIOS Networks |
The first thing to understand about NetBIOS is that it is not a "complete" networking protocol suite like TCP/IP, IPX/SPX, or NetBEUI. Before you continue, be sure to review the OSI Model Layers and the TCP/IP Protocol Stack in Chapter 2, TCP/IP Architecture. NetBIOS is only an API that programmers use to connect two computers using names like MYCOMPUTER or SERVER1. This programming interface is what places NetBIOS at the session level according to the OSI model.
Microsoft has implemented NetBIOS so that the TCP/IP, IPX/SPX, and NetBEUI protocol stacks can all carry NetBIOS information. On Windows NT and other Microsoft networking platforms, NetBIOS can run over TCP/IP, IPX/SPX, and NetBEUI separately or even simultaneously. Using NetBIOS to communicate between two computers requires at least one of the three protocols. . The NetBIOS interface is automatically included whenever you install one of the three protocols and cannot be separated or removed.
NetBIOS operates at the session and transport levels of the OSI Model. Remember that the seven layers of the OSI model are: Application, Presentation, Session, Transport, Network, Data Link, and Physical. NetBIOS operates at the session level since it manages communication between two computers by establishing, administering, and terminating connections. It operates at the Transport Layer by providing datagram and session services to applications. Datagram services provide connectionless communication for information that does not need the guarantee of reliable delivery. Session services are connection-oriented communication for information that needs reliable transport and guaranteed delivery.
For the TCP/IP protocol stack the NetBIOS interface operates at the Application and Transport Layers. Remember that the four layers of the TCP/IP protocol stack are: Application, Transport, Internet, and Network Interface. Windows Sockets, another popular API many programmers use for connection-oriented and connectionless communication, also resides in the Application Layer of the TCP/IP protocol stack. NetBIOS is in the Application Layer because it provides an interface for software and other applications. It is in the Transport Layer also since it provides for different levels of reliability in the datagram and session services offered.
In this chapter we focus on running NetBIOS session services over TCP/IP. The NetBIOS interface to the TCP/IP stack provides the following three services: a name service, a datagram service, and a session service.
In Chapter 2 you learned about the TCP/IP transport protocols, TCP and UDP. Remember that TCP is a connection-oriented service that guarantees proper data delivery. UDP is a connectionless service that does not guarantee proper data delivery. The application that uses UDP will be responsible for making sure the information sent is correctly received. Follow the instructions in Exercise 7-1 to see how the three NetBIOS services hook into the TCP and UDP transport level protocols.
Exercise 7-1 Viewing TCP and UDP Port Numbers Used by NetBIOS
Figure 1 Viewing the Services File
There are three TCP/IP port numbers that support NetBIOS functionality: Port 137 supports the NetBIOS name service; Port 138 supports the NetBIOS datagram service; and Port 139 supports the NetBIOS session service.
If you followed Exercise 7-1you discovered that the nbname service, which is an abbreviation for NetBIOS name service, accepts information from and sends information to port 137 of the UDP protocol. It is important to note that a port numbered 137 can exist for the TCP protocol too, as you will see for other ports that accept both UDP and TCP packets. We already know that UDP is a connectionless protocol that does not guarantee delivery of information. Why does the NetBIOS name service use UDP and not TCP? To answer this question you need to know specifically what the NetBIOS name server does.
The first thing NetBIOS does when Windows NT boots up is announce the computer’s names to other computers on the network through the NetBIOS Name Service. If the computer is configured to use a NetBIOS name server (such as WINS), the computer gives its NetBIOS names (such as the computer name, domain name, or named services offered) to the name server. If the name server can identify that the names are already in use on the network, then it sends a negative name registration response back to the computer, and NetBIOS fails to initialize. Only the NetBIOS names in conflict will not be registered.
If there is not a name server then the computer broadcasts its NetBIOS names to all computers on the network. Now we will see why the NetBIOS name service uses UDP. The information is broadcast to all computers but it is not known whether any computers will receive the information or not. Computers that are currently turned on will receive the information, but computers that are turned off will not. Any computer that receives the name announcement broadcast with conflicting names that it has already successfully registered with the network will also generate a negative name registration response that informs the announcing computer that it cannot use those names.
Besides name registration the NetBIOS name service also handles and responds to name query requests. Before two computers can communicate over NBT, they need to know each other’s IP address. . TCP/IP will then take the IP address and use the address resolution protocol (ARP) to find out the hardware address encoded on the network interface card (NIC). The NetBIOS name service either sends a broadcast to all computers on the network or queries the name server for the IP address of the computer associated with the name.
In the working world, broadcasting can be a significant detriment to performance of Microsoft networks. Network degradation will increase exponentially if NetBIOS is also running over protocols other than TCP/IP. Suppose COMP1 wants to talk to COMP2 and there is no name server. COMP1 broadcasts a question, "Who is COMP2?" Every computer that uses NetBIOS receives the question on port 137 and passes it to the NetBIOS name service. The computer decides whether it is COMP2 or not. If the computer is COMP2, it responds by telling COMP1 its IP address.
NetBIOS will send three broadcasts trying to find out who COMP2 is. Each broadcast uses some processing power on every computer on the network. If TCP/IP, NWLink IPX/SPX, and NetBEUI are all installed, the broadcast happens one to three times for each protocol for each name query. Multiple protocols greatly increase broadcasting and can be the bane of an uninformed network administrator. The ideal situation is to use TCP/IP and lmhosts or WINS to reduce name query broadcasts.
The NetBIOS datagram service exists on port 138 and as you saw in Exercise 7-1, it uses UDP for communication. Since the datagram service is a connectionless service without guaranteed delivery, we can understand why it uses UDP. The datagram service can send information to one computer name or a group of computers, such as a domain. The most important thing to remember about the datagram service is that the source computer cannot be sure that the destination computer received the message, unless the application program itself checks for delivery.
The NetBIOS session service exists on port 139. From Exercise 7-1 we know that the session service uses TCP for inter-computer communication. The session service is connection-oriented which means that two-way communication can occur that is guaranteed to have arrived or else an error message is returned. The net use command is an example of an application that uses the session service. This command connects a local drive letter to another computer’s shared network drive.
Applications use NetBIOS host names to tell the NetBIOS interface which computer they want to connect to. NetBIOS host names must be unique within an organization. This is a big irritation for many systems administrators who are used to the hierarchical DNS name space. For example, a NetBIOS name could be SERVER1 but a DNS name could be www.companyname.com. NetBIOS will be fully supported in Windows NT 5.0 for legacy systems, but the good news is that Windows NT 5.0 will no longer be dependent on NetBIOS naming. Coming from many generations of NetBIOS-dependent operating systems, this is a huge change in direction for Microsoft and it is being cheered by many systems administrators who had problems with the NetBIOS flat name space.
Please don’t think that NetBIOS names will be gone soon though. There are countless installations of Windows for Workgroups, Windows 95, and Windows NT that still depend on NetBIOS names for file and printer sharing and other domain level activities. Being able to accurately and correctly identify problems with NetBIOS host name resolution is an important skill for systems administrators.
NetBIOS names are always 16 bytes. They consist of 15 bytes followed by a special byte that is simply a control character in hexadecimal. For example, when you enter a 10-character computer name, the NetBIOS name registered will be the 10-character computer name suffixed with 5 spaces and the hexadecimal control character. Windows NT will not allow you to enter a computer name that is longer than 15 characters.
The limit for a computer name, domain name, or any other NetBIOS name is 15 characters. What happens to the extra byte in the 16-byte address? The 16th character is part of the NetBIOS host name and is used by Microsoft to identify which service or application the name belongs to.
The 16th character is actually a one-digit hexadecimal control character. The values can range from <00> to <FF> so the characters are indeed not printable. Exercise 7-2 will give you a detailed look at NetBIOS names that your own computer has registered.
Exercise 7-2 Viewing a Remote NetBIOS Name Table Using NBTSTAT
Be sure to complete the exercise and feel free to NBTSTAT -a as many different computers as you can. You can’t hurt anything with this command. The following is sample output from running an NBSTAT -a command:
C:\>nbtstat -a 123.145.27.10
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
NTSERVER <00> UNIQUE Registered
SERVER_DOMAIN <00> GROUP Registered
SERVER_DOMAIN <1C> GROUP Registered
NTSERVER <03> UNIQUE Registered
__SQLANYWHERE <20> UNIQUE Registered
NTSERVER <20> UNIQUE Registered
SERVER_DOMAIN <1B> UNIQUE Registered
SERVER_DOMAIN <1E> GROUP Registered
SERVER_DOMAIN <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
INet~Services <1C> GROUP Registered
IS~DMHRSTST....<00> UNIQUE Registered
TESTUSERNAME <03> UNIQUE Registered
MYALIAS1 <03> UNIQUE Registered
MAC Address = 00-80-5F-B4-A6-2C
You should at least recognize your computer name, user name, and domain name (if you belong to a domain). Your computer name will probably be associated with at least three NetBIOS names depending on what you have installed with Windows NT. If you are running the Workstation service, you will see a <00> UNIQUE entry beside your computer name and a <00> GROUP by your domain name. GROUP names can be used by many computers but registered UNIQUE names will exist only on your computer within the scope of your network. If you are running the server service, you will see a <20> UNIQUE beside your computer name. If the Messenger service is running, you should see a <03> UNIQUE entry for your computer name and a <03> UNIQUE entry for your username. The net send command appends the hexadecimal character <03> to user and computer names that you are sending messages to.
There are two kinds of NetBIOS names: unique names and group names.
The following chart defines the 16-byte character value for NetBIOS names:
I. Group Names
<1C> Domain Group Name
_MSBROWSE_Domain Master Browser
II. Unique Names
<00> Workstation service name
<03> Messenger service name
<06>RAS server service name
<21>RAS client name
<20>Server service name
<1B>Domain Master Browser
<BE>Network Monitor Agent
<BF>Network Monitor Utility
Another common hexadecimal character is <1C> GROUP, which is appended to the name of the domain or workgroup you belong to, and is used for Master Browser Elections. . If you are running the NBTSTAT -a command in a domain, you will probably see the _MSBROWSE_ <01> GROUP name on a Windows NT Server machine indicating that the server is a master browser. Many of the most common NetBIOS name have to do with browsing. . If you have other applications running that use NetBIOS, you will also see other entries in the name table. Table 7-1 lists all the common NetBIOS names used by Windows NT.
| Name | Hex | Associated NT Service, Application, or Functionality |
| COMPUTER NAME DOMAIN NAME |
<00> | Workstation Service |
| _MSBROWSE_ | <01> | Domain Announcement |
| COMPUTER NAME | <06> | RAS Server |
| COMPUTER NAME USER NAME |
<03> | Messenger Service |
| DOMAIN NAME | <1B> | Domain Master Browser |
| DOMAIN NAME | <1C> | Named Domain Groups |
| DOMAIN NAME | <1D> | Subnet Master Browser |
| DOMAIN NAME | <1E> | Master Browser Election |
| COMPUTER NAME | <1F> | NetDDE |
| COMPUTER NAME | <20> | Server Service |
| COMPUTER NAME | <21> | RAS Client |
| COMPUTER NAME | <BE> | Network Monitor Agent |
| COMPUTER NAME | <BF> | Network Monitor Utility |
Table 1 Common NetBIOS Names
NetBIOS host names are used by all the net commands to carry information from one computer to another. . The commands use the Universal Naming Convention (UNC) syntax to specify which computer and resource to access. The syntax for UNC names is \\Servername\Sharename where Servername is the computer name of the server to connect to and Sharename is the name assigned to the shared resource on the server. . UNC names can also include directories and file paths in the following format: \\Servername\Sharename\Directoryname\Filename. . The Servername used is a NetBIOS host name to which the net commands append the appropriate hex character, in this case <20> to connect to the Server service. For a list of Net commands, enter NET HELP at a command prompt. . For further help on any command enter NET COMMAND HELP at a command prompt where COMMAND is the name of the command you want more information on. Figure 7-2 shows part of the indexed lst available on Windows NT commands. It can be found in Start® Help® Contents® Windows NT Commands® Windows NT Commands.
Figure 2 Indexed List of Windows NT Commands
Net Use is by far the most useful net command, pun intended. . You can use it to connect drive letters and printer ports to remote shares and printers. You can even use it to establish permission in the same way you use the Connect As textbox when using My Computer® Map Network Drive. . When you want to write a login script, you can employ net use to delete some or all of your clients’ manual drive mappings and replace them with standard drive mappings for your organization. No more getting confused as to whose S drive is someone else’s N drive.
Sample output from a net use command follows this paragraph. Notice that drive J: is connected to a file share and LPT3 is connected to a shared printer. A disconnected status simply means that the connection has not been used recently and is in a disconnected state. . Windows NT will automatically reconnect the remote share whenever the share is accessed. The IPC$ is one of the Windows NT default shares. . This one in particular is for interprocess communication. You can map to it using the net use command with a username and password to establish a Connect As connection.
C:\>net use
New connections will not be remembered.
Status Local Remote Network
----------------------------------------------------------------------------
J: \\NTSERVER\DFS Microsoft Windows Network
Disconnected LPT3 \\NTSERVER\plotter Microsoft Windows Network
Disconnected \\USER1\IPC$ Microsoft Windows Network
OK \\USER2\IPC$ Microsoft Windows Network
The command completed successfully.
The other net commands are listed in Table 7-2. They all use UNC to access remote computer resources. The server name in the UNC syntax is always a NetBIOS name, so the net commands that work remotely all use the 16-byte NetBIOS host name to communicate with other computers.
| Command | Functionality |
| NET ACCOUNTS | View or set account policy. |
| NET COMPUTER | Add or remove computers to the domain. |
| NET CONFIG | View configuration for server and workstation services. |
| NET CONFIG SERVER | Set automatic client disconnection on the server. |
| NET CONFIG WORKSTATION | Set communication rates. |
| NET CONTINUE | Continue a paused service. |
| NET FILE | List of files currently opened by remote users. |
| NET GROUP | Manage domain global groups. |
| NET HELP | Lists net commands available, in case you don’t carry this book everywhere. |
| NET HELP Command | Detailed help on every net command available. |
| NET HELPMSG | Information on numerical error codes. |
| NET LOCALGROUP | Manage local groups. |
| NET NAME | Add or remove messaging name receiving messages. Creates name as Alias<03> in NBTSTAT -a. |
| NET PAUSE | Pauses service. |
| NET PRINT | Print job and print queue information. |
| NET SEND | Sends messages to a user or users in the domain. The messages are received only by computers that have the Messenger service on. |
| NET SESSION | List computers and users that currently have remote resources or sessions connected to the server. |
| NET SHARE | Add, remove, or view shared resources. |
| NET START | Start a service. |
| NET STATISTICS | View statistics for server and workstation services. |
| NET STOP | Stop a service. |
| NET TIME | Manually set or automatically synchronize time with another computer. |
| NET USE | Connect devices to remote shared resources. |
| NET USER | Add, remove, or view user accounts. |
| NET VIEW | View shared resources remotely or list computers on the network. |
Table 2 Windows NT Net Commands
The 16-byte NetBIOS host names are used by any application that uses NetBIOS communication. Whether the application is a database, game, or chat, they all have to use 16-byte NetBIOS host names to communicate.
In this section we discuss the three NetBIOS functional processes: Name Registration, Name Discovery, and Name Release. These functional processes are run for NetBIOS no matter which transport protocol it is running over. However, we will focus only on the functional processes from a NetBIOS over TCP/IP standpoint because that’s what is on the exam..
When you first boot up a Windows NT computer from a powered-off state, you see the familiar message, "Press Ctrl + Alt + Delete to log on," which means the network services are still starting in the background. The first functional process NetBIOS runs is Name Registration. To accomplish this process the computer sends a message, called a NetBIOS name registration request, to the network. If the computer is set up to register with a NetBIOS name server (NBNS), the message is sent directly to the name server. This is called a directed packet; it is not a broadcast, and therefore only one receiving computer, the name server, needs to process the information. All other computers discard the message as soon as it hits the network card and they recognize that the hardware address does not belong to them. If the computer is not set up to register with a name server then it broadcasts the message to all computers on the local subnet using the UDP protocol.
For group names, like a domain or workgroup name that multiple computers belong to, the NetBIOS name registration request is never challenged. NetBIOS name registration requests will be challenged if requested unique names, like a computer name, are already being used somewhere on the network.
If the name registration request is broadcast to the network and another computer is already using the NetBIOS name, then a negative name registration response message will be returned to the source computer informing it that it cannot register those NetBIOS names. Depending on which names are unusable, the computer may not initialize NetBIOS, start the Messenger service, or some other functionality or application may be inhibited. Always check Start® Programs® Administrative Tools® Event Viewer to check out any error messages you receive during logon. Positive name registration responses are not returned to the source computer during broadcast registration requests since no one computer is acting as a keeper of all the addresses.
If the name registration request is sent to a WINS server that already has the NetBIOS name in its database, the WINS server will not automatically send back a negative response. First, the WINS server will check to see if the IP address registered in the database is the same as the one in the request. If the IP addresses are the same, then it is just the same computer having been powered off without shutting down. If the IP addresses are not the same then the WINS server must check to see whether the computer associated with the conflicting names is still on. The WINS server challenges the registered host to defend its right to keep the conflicting names. If the registered host responds, it wins the challenge and WINS sends a negative name registration response back to the requesting computer. If the registered host does not respond, then WINS sends back a positive name registration response and the original computer will keep on trucking.
If you leave Windows NT set at its defaults, it will choose WINS over broadcasting if you have WINS enabled. If WINS is unable to register an address, NT will use broadcast registration. As far as performance for the Name Registration functional process goes, there is not a big difference, although it is generally better to use WINS, especially on larger networks. Once all the computers have registered their names on the network for the day, the broadcast traffic is over. During rush hours, like morning or after lunch, you may see some network degradation from broadcasts but it will be slight. The same applies to a WINS server trying to handle name registrations. You need to make sure that the server has enough horsepower during the rush hours, but once the rush hours are over name registration traffic should be minimal. If I had to pick one method, I would favor WINS for performance since broadcasts steal processing power from every computer on the network. Chapter 8 covers WINS in more detail.
Name Discovery is actually very similar to Name Registration.. NetBIOS host name resolution for NetBIOS over TCP/IP simply means translating a given name into an IP address. Name Discovery is really only part of the puzzle since everything will fall apart if Name Registration or Name Release go haywire. .
First, NetBIOS will consult the NetBIOS name cache to see if the name has been resolved recently. This saves the network from a whole lot of useless broadcasts. If the name needed is not in the name cache, the computer, if registered with WINS, will send a directed packet to the WINS server trying to resolve the name. If the name is not found in the WINS server database, the computer will broadcast to the local network up to three times trying to get the destination computer to respond. If the broadcasts fail, it will scan the lmhosts database text file line by line looking for a match. If the lmhosts file does not contain the name, it will try the hosts file and finally a DNS query. You can easily configure the computer to query or not query WINS, lmhosts, hosts, and DNS through the Network Control Panel applet. Go to Start® Settings® Control Panel® Network® Protocols® TCP/IP Protocol® Properties® WINS Address and you should see a dialog box like the one shown in Figure 7-3.
Figure 3 Enabling LMHOSTS Lookup
Figure 7-3 shows the dialog box to register a client computer with WINS. If the primary WINS server does not respond during name registration, the computer will try using the secondary WINS server. If the secondary WINS server also fails to respond, the computer will then broadcast name registration.
If you enable DNS for Windows Resolution, the Name Discovery functional process will also try to look in the hosts file and DNS server to find the NetBIOS name. I suggest not enabling DNS for Windows Resolution because it will slow down the Name Discovery process and NetBIOS names should not be stored in the hosts file or DNS anyway. If you enter a name like www.server.com, NT automatically recognizes the Fully Qualified Domain Name (FQDN) syntax and runs a DNS and host file query first.
If you enable LMHOSTS Lookup, the Name Registration will first scan the lmhosts files for entries to preload into the NetBIOS name cache. During the Name Discovery phase, the lmhosts file will be scanned after everything else has failed but before any host file or DNS lookup. The Enable LMHOSTS Lookup box needs to be checked even if all you have in you lmhosts file are name mappings to be loaded into the NetBIOS name cache.
The Scope ID box should always remain blank. Only computers that have the same word for their Scope ID can communicate with each other. It is one way to establish weak security and also cause yourself a lot of connectivity problems. If you need security, it’s better to use username, passwords, and NTFS.
Broadcasting for Name Discovery is good only if you have a small computer network. NetBIOS was originally designed for small networks. Networks of 25 or fewer users would not want the hassles of setting up and maintaining a name server since broadcasting is automatic. For larger networks, broadcasting will multiply the network and processing load with each computer that is added to the network. Take some good advice and use WINS if at all possible. If your computers are also using DHCP for dynamic configuration, you can set the scope options to automatically point every DHCP client to your WINS server.
The last NetBIOS functional process is Name Release, and it really is very simple. If the computer is registered with WINS, it informs WINS while shutting down that it will no longer need the names it registered. If the computer it not registered with WINS, it sends a broadcast to inform the network of the released names.
One of the challenges WINS faces is maintaining the database when users turn off the power switch instead of properly shutting down. If the power switch is hit, then the Name Release process does not happen and the names are still registered with WINS. This is why WINS has to challenge the registered name owner when a name request turns up conflicting names in the database. If this challenge did not occur, the WINS database would fill up with names and names could never be reused. This is not a problem since Name Release plays such a small part in the overall network load generated by NetBIOS. For large networks WINS is still far better than broadcasting even in the Name Release process simply because it involves only a few computers communicating. You have to use WINS if your network spans different subnets because broadcasts will not be forwarded by routers.
We’ve talked a lot about NetBIOS over TCP/IP (NBT) and hopefully you now have a good idea of what it is all about. This section will cover even more technical details and specifications about NBT.
To define NetBIOS over TCP/IP, you could say that it is a network component that performs computer name to IP mapping. Or you could say it is the quarterback that takes a NetBIOS name, turns it into an IP address, and hands it off to TCP/IP to run with it. That is the primary function of NBT. NetBIOS is the interface to the applications; TCP/IP is the transport protocol that carries the information from one computer to another; and NBT is the glue in between. NetBIOS uses 16-byte names; TCP/IP uses 32-bit addresses; and NBT is the translator.
RFC1001 and RFC1002 define three ways NBT can work: b-node, p-node, and m-node. It took me a while to figure out that node was not actually mode, so I’ll just give you that little piece of information. A node is basically a computer, and b-node, p-node, and m-node describe how the NBT functional processes work for that computer (node). Microsoft has added a few more methods into the list, namely, enhanced b-node and h-node. A Windows NT computer will use enhanced b-node by default unless it is configured to register with a WINS server, in which case it uses h-node. All these methods determine whether the computer uses, and in which order, the NetBIOS name cache, WINS, broadcasts, lmhosts, hosts, and DNS for NetBIOS host name resolution.
The b-node method uses NetBIOS name registration request broadcasts for Name Registration and NetBIOS name query broadcasts for Name Discovery. To enable this method starting from a Microsoft default installation that is not WINS enabled, simply disable LMHOSTS Lookup.
The NetBIOS name cache helps reduce repetitious broadcasting by caching resolved names and their associated IP addresses for a certain small length of time. A name is by default placed on the NetBIOS name cache for ten minutes if it is used again within two minutes after being placed in cache. If not used a second time within two minutes it is removed at the end of two minutes.
Of course by now you know that this method is not recommended for large networks. Relying solely on broadcasts for name resolution and registration on networks with a large amount of nodes (computers) can cause significant network traffic congestion for all computers. The b-node method also limits name resolution and registration to one subnet unless you have special routers that are configured to pass along the b-node NetBIOS broadcasts to the next subnet.
If Windows NT is not configured to register with WINS, then the modified b-node method is the default configuration when networking is set up. This method is similar to the b-node method except it uses the lmhosts file to preload name to IP address mappings into the NetBIOS name cache and also as a database for looking up names that could not be resolved by broadcasting.
You will see the lmhosts file syntax in the next section. What you need to know about the modified b-node method is that it searches the lmhosts file when the computer starts up for entries marked with #PRE. These entries are then loaded into the NetBIOS name cache and will never expire. The NetBIOS name cache is the first place NBT will look when resolving names. Putting commonly used computer names (like the servers) into the NetBIOS name cache can speed up network responsiveness. You can force NBT to reload the name cache with the NBTSTAT -R command. The -R command switch is case sensitive.
Like the b-node method, the primary method for resolving names is to do a NetBIOS name query broadcast and hope the computer responds. The enhanced b-node method is no more efficient than b-node if you do not use name cache preloading.
The lmhosts database file is found in the %SystemRoot%\system32\drivers\etc directory. You should not just add lines to the sample file Microsoft provides; instead start with a blank file since NT scans the file line by line each time resolving a name by broadcasting fails. Maintaining the lmhosts file can become an administrative chore because the static entries need to be changed with every new computer added or removed from the network. Also, it is a lot of trouble distributing and maintaining the files on every machine on the network.
Exercise 7-3 Ping NetBIOS Hosts with an LMHOSTS File
122.133.44.6 SERVER1
The p-node method can be enabled only by editing the registry or setting the scope option dynamically from DHCP enabled computers. When Microsoft makes you edit the registry, it’s a big hint that it is usually not preferable to use this method. In the p-node method broadcasts are never sent. Only a NetBIOS name server is used, or in other words, a WINS server. This works fine until there is a problem with the name server, then no names can be resolved. The h-node method has a better level of fault tolerance since it falls back on broadcasts if WINS resolution fails.
This method could potentially speed up an h-node network somewhat, especially for Name Resolution failures. Since broadcasts are never sent, the error message would return quicker. If we expected more failures than success we would want to use this method, but of course we expect most name queries to succeed one way or another. That is why the h-node method is better because names can also be resolved by trying broadcasts (which adds some fault tolerance) instead of just quickly returning the error message.
The m-node method first tries to use broadcasts for name resolution; then once the broadcasts time out, it will send the query directly to the NetBIOS name server (WINS). You would think the RFC documents would have defined this method to reduce broadcasts but unfortunately they did not.
The m-node method really stands for mixed node method. This is because it combines both the b-node and p-node methods into one. What is important here is the order in which the RFC documents define which method happens first.
The m-node method is called the mixed node method because it first tries to use the b-node method (broadcasts), then uses the p-node method (directed name server query) for name resolution. This is exactly opposite of the way it should be for reducing broadcasts for performance reasons. That is why Microsoft invented the h-node method, which is really just the exact opposite of the m-node method.
The h-node method is a combination of the p-node and b-node methods. The h-node method specifies that the p-node method (directed name server query) be used first and if that fails the b-node method (broadcasts) will be tried. If every computer on your network registers with the WINS name server, then this method will never produce a single NetBIOS broadcast (wow!). It is better than the p-node method because it will try broadcasts as a backup pending the failure of the name server to resolve the name.
The h-node method is called the hybrid node method but. . I might have named it something like "Name Server, then Broadcast method" since that is the most important point to remember. Broadcast is used only if the name server query fails.
Well, now that you have made it past nodes, modes, and methods, you can get into what is really important: what you need to know for the exam and also for the real world. In the next two sections, we discuss the standard name resolution method used by other NetBIOS equipped operating systems and applications and the default Microsoft name resolution method. Some of the Microsoft specific steps may be enabled or disabled by configuring TCP/IP with the Network Control Panel applet.
There are three standard methods used by most NetBIOS implementations (besides Microsoft). They may vary from implementation to implementation.
Generally all NetBIOS over TCP/IP implementations will have a NetBIOS name cache. This is mentioned in the RFC documents but is not required of all NetBIOS over TCP/IP implementations. Generally all implementations will use a name cache since it can greatly reduce network broadcasts and speed up repetitious name resolution requests.
If the name desired is not in the name cache, then most implementations will try to resolve the name using local broadcasts. This works fine for installations with a small client base.
If the name is not found in the name cache or by local broadcasts, then most implementations will try to resolve the name using a NetBIOS name server. You should notice that this sequence of steps is just a repeat of the m-node description given in the previous section.
Finally, you get to what you really need to know for the exam. Commit this sequence to memory because it is not only easy test material but it is invaluable knowledge to carry with you when troubleshooting network connectivity. Table 7-3 lists the six name resolution sources in sequence that Microsoft NBT will use. The table is followed by a description of each source.
Sequence |
Name Resolution Source |
1st |
NetBIOS Name Cache |
2nd |
NetBIOS Name Server (WINS for example) |
3rd |
B-Node Broadcasts |
4th |
LMHOSTS File |
5th |
HOSTS File |
6th |
DNS Server |
Table 3 NetBIOS Name Resolution Sources in Sequence
The first thing any name resolution query method will do is check the NetBIOS name cache. Whenever a name is resolved, it is automatically placed in the name cache whether it is resolved from WINS, broadcasts, lmhosts, hosts, or DNS. Each entry when placed in the cache is given a time-to-live value in seconds and when this time expires the name is removed from the cache. You can view entries in the NetBIOS name cache with the NBTSTAT -c command. NBTSTAT is covered in further detail in the last section of this chapter.
After checking the name cache the next place a Microsoft NetBIOS implementation will look for a name is at the WINS NetBIOS name server (NBNS) if TCP/IP is configured with a primary or secondary WINS address. The query goes directly to the name server using directed packets, so WINS does not need to be on the same subnet as your clients.
On an Ethernet bus type network where every computer "sees" every packet on the wire the network interface card (NIC) only looks as far as the ethernet hardware address before it discards a directed packet. Another way of saying this is that directed packets don’t get processed by any layers except the physical layer of the OSI model. Using a name server saves the network from "NetBIOS broadcast indigestion" where every computer must process the broadcast to the session layer of the OSI model where NetBIOS resides.
If the name is not found in the name cache or WINS, then Microsoft NBT will send up to three broadcasts trying to resolve the name. The local broadcast IP address is normally 255.255.255.255, as you learned earlier in this book. On an Ethernet this IP address is usually turned into a hardware address of FF-FF-FF-FF-FF-FF. Routers by default should block all broadcasts and will not forward NetBIOS broadcasts unless you specifically enable UDP ports 137 and 138 on the router. We saw these ports in Exercise 7-1.
Routers will not block the NetBIOS session service since it uses TCP port 139, and TCP means it is using directed packets. But to establish a session you need a name mapped to an IP address, and if the router is blocking your name resolution broadcasts, then you are out of luck. A quick way around this problem of routers blocking name resolution broadcasts is to make an entry into the lmhosts file. Once the name resolution occurs, the session can be established no matter where in the world the IP address points to.
The next place Microsoft NBT will check is the LMHOSTS file. This file is really just a database of IP addresses and NetBIOS host names along with some special switch information. We look at this in more detail in the next section.
The hosts file will be scanned for NetBIOS names only if the "Enable DNS for Windows Resolution" checkbox is checked in the TCP/IP protocol setup. This is not the default at installation and must be manually enabled. This file is very similar to lmhosts but it just contains IP addresses and host names (without any special switches). You should not enable this unless you have special need since it will slow down returning error messages to the user.
Like the hosts file the DNS server will be queried for NetBIOS names only if the Enable DNS for Windows Resolution checkbox is selected in the TCP/IP protocol setup. When you check this box, you get both hosts lookup and DNS; there is no way to separate the two. Again, enable this only if you have a very special need.
This section covers the specifics of creating an lmhosts file. The "lm" stands for LAN Manager, an early predecessor of Windows NT. To use the lmhosts file you need to make sure you have LMHOSTS Lookup enabled by going to Start® Settings® Control Panel® Network® Protocol® TCP/IP Protocol® WINS Address and checking the Enable LMHOSTS Lookup checkbox.
Don’t forget that the lmhosts file location for Windows NT is in a different place than the rest of Microsoft’s operating systems.
The default location for the lmhosts file is %SystemRoot%\system32\drivers\etc. Don’t ever forget this location (at least not until Microsoft changes it again). An example of the default %SystemRoot% in Windows NT is C:\WINNT.
The default location for Windows 95 and Windows for Workgroups is the %SystemRoot% directory. An example of the default %SystemRoot% would be C:\WINDOWS. Don’t expect that Windows 95 will have the %SystemRoot% environment variable defined either.
Microsoft has created a sample lmhosts file with instructions and examples in it. It is available in the default location for the lmhosts file and is named LMHOSTS.SAM. I would not suggest editing this file and then deploying it. Rather, start from scratch with an empty file and add entries one by one. NBT scans the file line by line and will quit when there is a successful match, so you can speed up name resolution if NBT does not have to read a bunch of useless lines each time it scans the file. You should also put #PRE statements at the end of the file since they will always be resolved from the NetBIOS cache and never the lmhosts file. The following Microsoft sample LMHOSTS.SAM file has been included for your reading pleasure:
# Copyright (c) 1993-1995 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows
# NT.
#
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.
The format of the lmhosts file is an IP address, followed by a NetBIOS host name, followed by keywords with each entry on a separate line. There are seven keywords that you can use in your lmhosts file.
Exercise 7-4 Entering LMHOSTS Keywords
122.133.44.5 SERVER1 #PRE
122.133.44.6 SERVER2
Table 7-4 lists the LMHOSTS keywords and a short description for each command. Following the table each command is described in detail.
| Keyword | Description |
| #PRE | Preloads the entry into the NetBIOS name cache. |
| #DOM:domain | Marks a computer as a domain controller. Names of domain controllers are stored in a special list. |
| #NOFNR | Bypasses directed name verification query to the machine. |
| #INCLUDE <filename> | Includes a remote lmhosts file when parsing the local one. |
| #BEGIN_ALTERNATE | Marks the start of a block of #INCLUDE statements. |
| #END_ALTERNATE | Marks the end of a block of #INCLUDE statements. |
| #MH | Marks entries for multihomed computers. |
Table 4 LMHOSTS Keywords
The #PRE keyword is the one you will use most often. #PRE designates that the name to IP address mapping will be placed into the NetBIOS name cache whenever the machine starts. The name cache in main memory is the first place NT will look for name resolutions. If you are able to distribute an lmhosts file to all your clients, I suggest placing the names and addresses of your primary servers in #PRE statements. Since most everyone accesses servers most of the time, this should greatly speed up network access and will decrease network traffic, even if you are using WINS and especially if you are using broadcasts.
After you add #PRE entries to your lmhosts file, you do not have to reboot to get those entries loaded into the NetBIOS name cache. Use the NBTSTAT -R command to flush the old name cache and reload it. The NBTSTAT command-line switches are case sensitive so the -R must be uppercase.
You can use the #DOM keyword to specific that a machine is a backup or primary domain controller. This can be useful for functionality like browsing which normally doesn’t work across subnets since it uses broadcasts to communicate among computers and domains. Since each domain has a master browser and domains are likely to be separated by subnets, this can get the master browser in one domain talking to the master browser in the remote domain. Note that this should create a group entry for the specified domain into the name cache and not a unique entry. Therefore you should use this keyword for all domain controllers in a domain. The #PRE keyword must be placed on the line before #DOM. . NBT places entries into a special domain name list so you will not see anything different when looking at the NetBIOS name cache with the NBTSTAT -c command. If you have a choice though, it is much easier to use a WINS server and save yourself a lot of hassle and confusion.
The #NOFNR keyword was added to the lmhosts because some of the older LAN managers for UNIX and DEC Pathworks servers do not respond to directed name verification queries sent by Windows NT. NBT usually asks a machine if it is on and if it is the right name before trying to send any information to it. This keyword tells Windows NT to bypass the directed name query for the specified machine. For more information you can look up article Q103765 in the Microsoft knowledge base.
Whenever NBT is parsing the lmhosts file line by line and it encounters the #INCLUDE statement, it parses the new file as if it were actually in the lmhosts file. The filename can be given in the UNC syntax so files from other servers can be included. When using UNC names the server name still needs to be resolved so it must be inserted before the #INCLUDE keyword. You must put a #PRE statement for the server before the #INCLUDE or the #INCLUDE will be ignored. Following is an example:
123.144.11.1 SERVER1 #PRE #necessary for include statement
#INCLUDE \\SERVER1\ETC$\lmhosts
The #INCLUDE statement needs to know where SERVER1 is so that is why we must put the IP address for SERVER1 in a preloaded line prior to the #INCLUDE. This is a very inefficient way of having a centralized lmhosts file since the remote lmhosts file must be downloaded and parsed every single time the local lmhosts file is downloaded and parsed for names. It might be an okay solution if all the statements in each lmhosts were preloaded into the NetBIOS name cache, which would mean the files would be parsed only on name query failures. This solution still causes unnecessary network traffic that can be detrimental in large LAN installations.
Also, before SERVER1 will let the remote client have its lmhosts file, its share must be listed as a Null Session Share in its Windows NT Registry. To accomplish this you need to add the directory (C:\WINNT\system32\drivers\etc) for the share to the list in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters.
One solution for distributing a centralized lmhosts files would be to put an XCOPY /d into the user’s login script followed by an NBTSTAT -R. The XCOPY command switch /d checks the dates on the files and copies the master lmhosts only if it is newer. The NBTSTAT -R purges and updates the NetBIOS name cache if the lmhosts has changed. You need to make sure that every user has permissions to the directory where the lmhosts file is stored on their machine.
#BEGIN_ALTERNATE marks the start of a block of #INCLUDE statements. NBT will process each #INCLUDE statement until one is successful. It will include one and only one of the master lmhosts files. This allows you some fault tolerance since the master lmhosts file will be stored on several servers.
#END_ALTERNATE marks the end of a block of #INCLUDE statements. Remember that each server in an #INCLUDE statements needs to already have its IP address previously defined in the lmhosts file. Following is an example of #BEGIN_ALTERNATE and #END_ALTERNATE:
123.144.11.1 SERVER1 #PRE #necessary for include statement
123.144.11.2 SERVER2 #PRE #necessary for include statement
#BEGIN_ALTERNATE
#INCLUDE \\SERVER1\ETC$\lmhosts
#INCLUDE \\SERVER2\ETC$\lmhosts
#END_ALTERNATE
Once one of the included files is found, the other include statements in the block will be bypassed. You need to make sure all the lmhosts files in the block statement are the same to avoid confusion and failed name queries. This is still a crude way to distribute lmhosts files and will be an administrative burden on large networks.
The #MH keyword is used to mark multihomed servers. Multihomed servers have two network interface cards with two IP address being viable for one NetBIOS name. Following is an example:
110.155.22.1 MYPDC #MH #entry for NIC 1 of MYPDC machine
110.155.22.2 MYPDC #MH #entry for NIC 2 of MYPDC machine
Notice that the server name MYPDC has two entries with two corresponding IP addresses. The #MH keyword must be included on both entries so as to mark the entries as multihomed. Note that WINS accomplishes the same functionality automatically.
Exercise 7-5 Using an LMHOSTS File
The NBTSTAT is the most useful utility related to NetBIOS over TCP/IP. Remember the NBT in NBTSTAT stands for NetBIOS over TCP/IP and the STAT stands for statistics. The NBTSTAT command-line switches are listed in Table 7-5 along with a short description of what each command does. For your convenience the command-line help for NBTSTAT is included after the table.
| Command | Function |
| NBTSTAT -a or -A | Lists NetBIOS names for a remote computer. |
| NBTSTAT -c | Lists entries in the NetBIOS name cache. |
| NBTSTAT -n | Lists NetBIOS names for the local computer. |
| NBTSTAT -r | Lists counters for names resolved by broadcasts and WINS. Also gives list of names resolved by broadcast. |
| NBTSTAT -R | Purges and reloads the NetBIOS name cache. |
| NBTSTAT -S or -s | Lists sessions for the local computer. |
Table 5 NBTSTAT Commands
C:\>nbtstat /?
Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n]
[-r] [-R] [-s] [-S] [interval] ]
-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its
IP address.
-c (cache) Lists the remote name cache including the IP addresses
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP addresses
-s (sessions) Lists sessions table converting destination IP
addresses to host names via the hosts file.
RemoteName Remote host machine name.
IP address Dotted decimal representation of the IP address.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press Ctrl+C to stop redisplaying
statistics.
The NBTSTAT -a command lists the names used by a remote computer. It is a good way to easily see what names a computer thinks it owns if you are having naming conflicts. You can also see which names failed to register by examining the status column. The following is sample output from running an NBTSTAT -a command:
C:\>nbtstat -a 123.44.155.6
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MYSERVER <00> UNIQUE Registered
MY_DOMAIN <00> GROUP Registered
MY_DOMAIN <1C> GROUP Registered
MYSERVER <03> UNIQUE Registered
__SQLANYWHERE <20> UNIQUE Registered
MYSERVER <20> UNIQUE Registered
MY_DOMAIN <1B> UNIQUE Registered
MY_DOMAIN <1E> GROUP Registered
MY_DOMAIN <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MYSERVER <01> UNIQUE Registered
MAC Address = 00-80-5F-A4-B6-CA
The NBTSTAT -c command is a very helpful when troubleshooting name resolution problems. It lists the NetBIOS name cache for the local machine. When you are having trouble connecting computers, this is the first place to look to see if the names are being resolved correctly. You can also check here to make sure the NetBIOS Scope ID is blank. The following is sample output from running an NBTSTAT -c command:
C:\>nbtstat -c
Node IpAddress: [123.44.166.7] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
GATEWAY <03> UNIQUE 123.44.166.7 -1
GATEWAY <00> UNIQUE 123.44.166.7 -1
GATEWAY <20> UNIQUE 123.44.166.7 -1
TESTBDC <00> UNIQUE 123.44.166.88 600
NTSERVER <03> UNIQUE 123.44.166.55 -1
NTSERVER <00> UNIQUE 123.44.166.55 -1
NTSERVER <20> UNIQUE 123.44.166.55 -1
The NBTSTAT -n command is exactly the same as the NBTSTAT -a command except that it lists name information for the local machine (not including the MAC hardware address). The following is sample output from running an NBTSTAT -n command:
C:\>nbtstat -n
Node IpAddress: [123.44.166.55] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
MYPC <00> UNIQUE Registered
MY_DOMAIN <00> GROUP Registered
MYPC <03> UNIQUE Registered
USERNAME1 <03> UNIQUE Registered
MYPC <20> UNIQUE Registered
The NBTSTAT -r command tells you how many broadcasts a machine has made since NetBIOS over TCP/IP was started. This command is also useful once you have installed WINS for tracking down those machines that are still using broadcasting. The following is sample output from running an NBTSTAT -r command:
C:\WINNT\system32>nbtstat -r
NetBIOS Names Resolution and Registration Statistics
----------------------------------------------------
Resolved By Broadcast = 7
Resolved By Name Server = 146
Registered By Broadcast = 0
Registered By Name Server = 8
NetBIOS Names Resolved By Broadcast
---------------------------------------------
BROADCASTER1 <00>
BROADCASTER1 <00>
BROADCASTER1 <00>
MYSERVER <00>
MYPC <00>
SERVER1 <00>
BROADCASTER2 <00>
The NBTSTAT -S command determines what machines you have NetBIOS connection to or what machines have NetBIOS connection to you. This might help you track who exactly is using a server and how much bandwidth they are using. The following is sample output from running an NBTSTAT -S command:
C:\>nbtstat -S
NetBIOS Connection Table
Local Name State In/Out Remote Host Input Output
----------------------------------------------------------------------------
MYPC <00> Connected Out 111.23.45.56 3MB 231KB
MYPC <00> Connected Out 111.23.45.101 2KB 3KB
MYPC <03> Listening
MYPC <03> Listening
MYUSERNAME <03> Listening
MYUSERNAME <03> Listening
This chapter covered everything you need to know about NetBIOS host name resolution for the Internetworking with Microsoft TCP/IP on Microsoft Windows NT 4.0 exam. You should now have some properly grounded definitions, background material, and concepts about NetBIOS. You know how NetBIOS runs over TCP/IP using the TCP and UDP protocols and that. NetBIOS host names are composed of 15 characters plus a special byte. We discussed the three NetBIOS functional processes: Name Registration, Name Discovery, and Name Release. You should know what you need to about nodes, modes, and name resolution methods. Finally, you should know how to use the LMHOSTS file and NBTSTAT command with practiced flair and grace. Armed with all this information you will not only be able to pass the exam, but you will be able to impress all your peers when then just can’t seem to get two machines to talk to each other.
| NetBIOS is an interface that software can use and is commonly called an application programming interface (API). |
| There are official standards for using NetBIOS over TCP/IP. |
| The first thing to understand about NetBIOS is that it is not a "complete" networking protocol suite like TCP/IP, IPX/SPX, or NetBEUI. |
| NetBIOS is only an API that programmers use to connect two computers using names like MYCOMPUTER or SERVER1. |
| On Windows NT and other Microsoft networking platforms, NetBIOS can run over TCP/IP, IPX/SPX, and NetBEUI separately or even simultaneously. |
| NetBIOS operates at the session and transport levels of the OSI Model. |
| The NetBIOS interface to the TCP/IP stack provides the following three services: a name service, a datagram service, and a session service. |
| Remember that TCP is a connection-oriented service that guarantees proper data delivery. |
| UDP is a connectionless service that does not guarantee proper data delivery. |
| Figure 7-1 contains a portion of the services file for Exercise 7-1. Be sure to go back and navigate through the exercise later since it will help you remember the location of the important %SystemRoot%\system32\drivers\etcdirectory. After all, your memory and your experiences are all you can take with you to the exam! |
| There are three TCP/IP port numbers that support NetBIOS functionality: |
 | Port 137 supports the NetBIOS name service. |
| Port 138 supports the NetBIOS datagram service. |
| Port 139 supports the NetBIOS session service. |