Network+ Study Guide

You’ll remember from the last chapter that NetBIOS associates names with workstations. But NetBIOS is only an upper-layer interface and requires a transport protocol. In many cases, TCP/IP is used. You use the nbtstat utility to do the following:

Because NetBIOS name resolution is primarily a Windows 95/98 or Windows NT network issue, the nbtstat command is available only on Windows 95/98 and NT networked computers.

To display a basic description of nbtstat and its associated options, type nbtstat at the command line. You’ll use these options to configure the display of information about NetBIOS over TCP/IP hosts. Here are some of the switches you can use:

–a –A –c –n –r –R –S –s

Tip 

All nbtstat switches are case sensitive. Generally speaking, lowercase switches deal with NetBIOS names of hosts, and uppercase switches deal with the TCP/IP addresses of hosts.

The –a Switch

The –a switch displays a remote machine’s NetBIOS name table, which is a list of all the NetBIOS names that that particular machine “knows about.” The following command produced the output for the server S1 shown in Figure 4.5:

C:\nbtstat -a S1

Figure 4.5: Sample output of the nbtstat -a command

As you can see, using this switch produces an output with four columns. The Name column gives the NetBIOS name entry of the host in the NetBIOS name table of the remote machine. The next column displays a unique two-digit hexadecimal identifier for the NetBIOS name. This identifier represents the last byte of the NetBIOS name shown in the Name column, and is necessary because the same name might be used several times on the same station. It uniquely identifies which service on the host the name is referencing. Tables 4.1 and 4.2 list the hexadecimal identifiers for unique and group host names.

Table 4.1: Last Byte Identifiers for Unique Names

Hex ID

Description

00

The general name for the computer.

03

Messenger service ID used to send messages between a WINS server and a workstation. This is the ID registered with a WINS server.

06

Remote Access Server (RAS) server service ID.

20

File-serving service ID.

21

RAS client.

53

Domain Name Services (DNS).

123

Network Time Protocol (NTP).

1B

Domain master browser ID. A NetBIOS name with this ID indicates the domain master browser.

1F

NetDDE service ID.

BE

Network monitor agent ID.

BF

Network monitor utility ID.

Table 4.2: Last Byte Identifiers for Group Names

Hex ID

Description

01

Indicates the master browser for a domain to other master browsers.

20

The Internet group name ID. This ID is registered with the WINS server to indicate which computers are used for administrative purposes.

1C

The domain group name ID.

1D

The master browser name.

1E

The normal group name.

The Type column refers to the type of NetBIOS name being referenced:

The Status column refers to the status of the NetBIOS name for the specified host, regardless of whether the name has been registered with the rest of the network.

The –A Switch

The –A switch works exactly as the –a switch and produces the same output; only the syntax of the command is different. First, you use an uppercase A instead of a lowercase a. Second, you use the IP address of the host whose NetBIOS name table you want to view instead of the NetBIOS name. The syntax includes the nbtstat command, followed by the –A switch, and finally the IP address of the host whose NetBIOS table you want to view:

nbtstat -A 199.153.163.2

The –c Switch

The function of the –c switch is to display the local NetBIOS name cache on the workstation on which it is run. Figure 4.6 shows sample output of the nbtstat -c command.

Figure 4.6: Sample output of the nbtstat -c command

Each entry in this display shows the NetBIOS name, the hex ID for the service that was accessed, the type of NetBIOS name (unique or group), the IP address that the name resolves to, and its Life (in seconds). The Life amount dictates how long (in seconds) each entry will live in the cache. When this time expires, the entry is deleted from the cache.

Note 

If you run nbtstat to display the cache and you get the result “No names in the cache,” all entries in the cache have expired. This will happen often if you don’t regularly access machines or services with NetBIOS names.

The –n Switch

You use the –n switch to display the local NetBIOS name table on a Windows 95/98 or Windows NT station. The output (shown in Figure 4.7) is similar to the output of the –a switch, except that instead of displaying the NetBIOS name table of another host, you are displaying it for the machine on which you are running the command.

Figure 4.7: Sample output of the nbtstat -n command

The –r Switch

This switch is probably the most commonly used switch when checking NBT (NetBIOS over TCP/IP) statistics. The –r switch displays the statistics of how many NetBIOS names have been resolved to TCP/IP addresses. Figure 4.8 shows sample output of the nbtstat -r command.

As you can see, the statistics are divided into categories. The first category is NetBIOS Names Resolution and Registration Statistics, which shows how many names have been resolved or registered by either broadcasts on the local segment or by lookup from a WINS name server. The second category gives the NetBIOS unique and group names and their associated hex IDs that were resolved or registered. In Figure 4.8, no WINS server is operating, so all NetBIOS names were resolved by broadcast only. This is evident from the lack of statistics of names resolved by a name server.

Figure 4.8: Sample output of the nbtstat -r command

Note 

The –r switch is useful in determining how a workstation is resolving NetBIOS names and whether WINS is configured correctly. If WINS is not configured correctly, the numbers in the Resolved by Name Server or Registered by Name Server categories will always be zero.

The –R Switch

Let’s say that you have a bad name in the NetBIOS name cache, but the right name is in the LMHOSTS file. The LMHOSTS file contains NetBIOS names of stations and their associated IP addresses. Also, the cache is consulted before the LMHOSTS file is. The problem here is that the bad address will be in the cache (until it expires). To purge the NetBIOS name table cache and reload the LMHOSTS file into memory, simply use the nbtstat command with the –R switch, like so:

nbtstat -R

The –S Switch

You use this switch to display the NetBIOS sessions table, which lists all the NetBIOS sessions, incoming and outgoing, to and from the host where you issue the command. The –S switch displays both workstation and server sessions, but lists remote addresses by IP address only.

Figure 4.9 shows sample output of the nbtstat -S command. The NetBIOS name is displayed along with its hex ID. The state of each session is also shown. An entry in the In/Out column determines whether the connection has been initiated from the computer on which you are running nbtstat (outbound) or whether another computer has initiated the connection to this computer (inbound). The numbers in the Input and Output columns indicate (in bytes) the amount of data transferred between this station and the station listed in that entry.

Figure 4.9: Sample output of the nbtstat -S command

The –s Switch

As with the –A and –a switches, the lowercase –s switch is similar to its uppercase sibling. The nbtstat -s command produces the same output as nbtstat -S, except that it tries to resolve remote host IP addresses into host names, if possible. Figure 4.10 shows sample output from the nbtstat –s switch. Note the similarities between Figure 4.10 and Figure 4.9.

Figure 4.10: Sample output of the nbtstat -s command

Note 

As you can do with the netstat command, you can place a number at the end of any nbtstat command to indicate that the command should execute once every so many seconds (as specified by the number) until you press Ctrl+C.

Категории