Network+ Study Guide
|
|
You’ll remember from the last chapter that NetBIOS associates names with workstations. But NetBIOS is only an upper-layer interface and requires a transport protocol. In many cases, TCP/IP is used. You use the nbtstat utility to do the following:
-
Track NetBIOS over TCP/IP statistics
-
Show the details of incoming and outgoing NetBIOS over TCP/IP connections
-
Resolve NetBIOS names
Because NetBIOS name resolution is primarily a Windows 95/98 or Windows NT network issue, the nbtstat command is available only on Windows 95/98 and NT networked computers.
To display a basic description of nbtstat and its associated options, type nbtstat at the command line. You’ll use these options to configure the display of information about NetBIOS over TCP/IP hosts. Here are some of the switches you can use:
–a –A –c –n –r –R –S –s
Tip | All nbtstat switches are case sensitive. Generally speaking, lowercase switches deal with NetBIOS names of hosts, and uppercase switches deal with the TCP/IP addresses of hosts. |
The –a Switch
The –a switch displays a remote machine’s NetBIOS name table, which is a list of all the NetBIOS names that that particular machine “knows about.” The following command produced the output for the server S1 shown in Figure 4.5:
C:\nbtstat -a S1
As you can see, using this switch produces an output with four columns. The Name column gives the NetBIOS name entry of the host in the NetBIOS name table of the remote machine. The next column displays a unique two-digit hexadecimal identifier for the NetBIOS name. This identifier represents the last byte of the NetBIOS name shown in the Name column, and is necessary because the same name might be used several times on the same station. It uniquely identifies which service on the host the name is referencing. Tables 4.1 and 4.2 list the hexadecimal identifiers for unique and group host names.
Hex ID | Description |
---|---|
00 | The general name for the computer. |
03 | Messenger service ID used to send messages between a WINS server and a workstation. This is the ID registered with a WINS server. |
06 | Remote Access Server (RAS) server service ID. |
20 | File-serving service ID. |
21 | RAS client. |
53 | Domain Name Services (DNS). |
123 | Network Time Protocol (NTP). |
1B | Domain master browser ID. A NetBIOS name with this ID indicates the domain master browser. |
1F | NetDDE service ID. |
BE | Network monitor agent ID. |
BF | Network monitor utility ID. |
Hex ID | Description |
---|---|
01 | Indicates the master browser for a domain to other master browsers. |
20 | The Internet group name ID. This ID is registered with the WINS server to indicate which computers are used for administrative purposes. |
1C | The domain group name ID. |
1D | The master browser name. |
1E | The normal group name. |
The Type column refers to the type of NetBIOS name being referenced:
-
Unique NetBIOS names refer to individual hosts.
-
Group names refer to the names of logical groupings of workstations, either domains or workgroups.
The Status column refers to the status of the NetBIOS name for the specified host, regardless of whether the name has been registered with the rest of the network.
The –A Switch
The –A switch works exactly as the –a switch and produces the same output; only the syntax of the command is different. First, you use an uppercase A instead of a lowercase a. Second, you use the IP address of the host whose NetBIOS name table you want to view instead of the NetBIOS name. The syntax includes the nbtstat command, followed by the –A switch, and finally the IP address of the host whose NetBIOS table you want to view:
nbtstat -A 199.153.163.2
The –c Switch
The function of the –c switch is to display the local NetBIOS name cache on the workstation on which it is run. Figure 4.6 shows sample output of the nbtstat -c command.
Each entry in this display shows the NetBIOS name, the hex ID for the service that was accessed, the type of NetBIOS name (unique or group), the IP address that the name resolves to, and its Life (in seconds). The Life amount dictates how long (in seconds) each entry will live in the cache. When this time expires, the entry is deleted from the cache.
Note | If you run nbtstat to display the cache and you get the result “No names in the cache,” all entries in the cache have expired. This will happen often if you don’t regularly access machines or services with NetBIOS names. |
The –n Switch
You use the –n switch to display the local NetBIOS name table on a Windows 95/98 or Windows NT station. The output (shown in Figure 4.7) is similar to the output of the –a switch, except that instead of displaying the NetBIOS name table of another host, you are displaying it for the machine on which you are running the command.
The –r Switch
This switch is probably the most commonly used switch when checking NBT (NetBIOS over TCP/IP) statistics. The –r switch displays the statistics of how many NetBIOS names have been resolved to TCP/IP addresses. Figure 4.8 shows sample output of the nbtstat -r command.
As you can see, the statistics are divided into categories. The first category is NetBIOS Names Resolution and Registration Statistics, which shows how many names have been resolved or registered by either broadcasts on the local segment or by lookup from a WINS name server. The second category gives the NetBIOS unique and group names and their associated hex IDs that were resolved or registered. In Figure 4.8, no WINS server is operating, so all NetBIOS names were resolved by broadcast only. This is evident from the lack of statistics of names resolved by a name server.
Note | The –r switch is useful in determining how a workstation is resolving NetBIOS names and whether WINS is configured correctly. If WINS is not configured correctly, the numbers in the Resolved by Name Server or Registered by Name Server categories will always be zero. |
The –R Switch
Let’s say that you have a bad name in the NetBIOS name cache, but the right name is in the LMHOSTS file. The LMHOSTS file contains NetBIOS names of stations and their associated IP addresses. Also, the cache is consulted before the LMHOSTS file is. The problem here is that the bad address will be in the cache (until it expires). To purge the NetBIOS name table cache and reload the LMHOSTS file into memory, simply use the nbtstat command with the –R switch, like so:
nbtstat -R
The –S Switch
You use this switch to display the NetBIOS sessions table, which lists all the NetBIOS sessions, incoming and outgoing, to and from the host where you issue the command. The –S switch displays both workstation and server sessions, but lists remote addresses by IP address only.
Figure 4.9 shows sample output of the nbtstat -S command. The NetBIOS name is displayed along with its hex ID. The state of each session is also shown. An entry in the In/Out column determines whether the connection has been initiated from the computer on which you are running nbtstat (outbound) or whether another computer has initiated the connection to this computer (inbound). The numbers in the Input and Output columns indicate (in bytes) the amount of data transferred between this station and the station listed in that entry.
The –s Switch
As with the –A and –a switches, the lowercase –s switch is similar to its uppercase sibling. The nbtstat -s command produces the same output as nbtstat -S, except that it tries to resolve remote host IP addresses into host names, if possible. Figure 4.10 shows sample output from the nbtstat –s switch. Note the similarities between Figure 4.10 and Figure 4.9.
Note | As you can do with the netstat command, you can place a number at the end of any nbtstat command to indicate that the command should execute once every so many seconds (as specified by the number) until you press Ctrl+C. |
|
|