Network Basic Input/Output System (NetBIOS) is a set of protocols developed in the early 1980s for LAN communications. A few years later, it was adopted by Microsoft for their networking over the LAN, and then it was migrated for working over TCP/IP (NetBIOS over TCP/IP, RFCs 1001, and 1002).
In today's networks, NetBIOS provides three services:
In this chapter, we will get into some common problems with the NetBIOS suite of protocols, and we will learn how to try and solve them. Since the NetBIOS set of protocols is quite complicated, and there are hundreds of scenarios of things that might go wrong, we will try to provide some guidelines for how to look for common problems and what might go wrong.
NetBIOS protocols work in the Windows environments, along with MAC and Linux machines communicating with Windows. When facing problems such as instability, slow response times, disconnections, and so on in these environments NetBIOS issues can be one of the reasons for it. When facing these problems, the tool for solving them is Wireshark. It will show you what runs over the network, and Windows tools will show you what runs in the clients and servers.
To try and find out what a problem could be, connect your laptop with the Wireshark to the network, and port mirror the suspected clients or server as described below. In the following sections, we will see several scenarios for several problems.
There are many predefined filters that are used with NetBIOS. You can find them by clicking on the Expression button, which is on the right-hand side of the Display Filters window.
First, take a general look at the network. Then, look for suspicious patterns:
- Connect Wireshark to the network. Each one of the ports will do fine, as long as you are on the same broadcast domain with the clients that are having the problems.
- Configure the display filter
nbns.flags.response == 0. It will give you the NBNS requests. You will see many broadcasts, as shown in the following screenshot:
- As you saw in the previous screenshot, in the capture file you will see the following:
- NBNS registration packets (1): In the examples, there are registrations with the names
WORKGROUPandETTI. NBNS server will accept or reject the name registration by issuing a positive or negative Name Registration Response to the requesting node. If none are received, the requesting node will assume it is OK. - NBNS Queries (2, 3 and 4): Queries are sent for the name specified. If there is an NBNS server (this is the domain controller), you will see one of the following responses:
- requested name does not exist (code 3)
- no error (code 0)
- NBNS registration packets (1): In the examples, there are registrations with the names
- Make sure there is no registration or any other requests coming from addresses that start with
169.254(5). These are Automatic Private IP Addressing (APIPA) addresses. This actually means that the PC is configured to accept addresses automatically (by DHCP) and it has not received one. - There are many announcement packets as well. These will be broadcast on UDP port
138. Here, you will see that every station announces its capabilities: workstation, server, print server, and so on. For example, you can see here that:
- There are some worms and viruses that are using the NetBIOS name service to scan the network. Look for unusual patterns like massive scanning, high broadcast rate, and so on.
- Verify that you don't have too many broadcasts. Five to 10 broadcast/minute/device are reasonable. More than this usually means problems.
Here are some issues and problems you might see during usual operation:
- Using Server Message Block (SMB), which is the protocol that is used for browsing directories, copying files, and other operations over the network, you might see some error codes. The full list of error codes is listed in Microsoft MSDN: http://msdn.microsoft.com/en-us/library/ee441884.aspx.
- Code
0meansSTATUS_OK, when everything works fine and there is no problem. Any other code should be examined. - In the following example, you can see a message
STATUS_ACCESS_DENIED. This is one of many error codes you should look for. In the example, access to\NAS01HOMEDIRon a server with an IP address that starts with203(full address hidden due to security reasons) was denied. - When you try to see the home directory by browsing it, Windows will usually show you an ACCESS DENIED message or something similar. The problem can happen when an application is trying to access a directory, and cannot get access to it. In this case, you can see an ACCESS DENIED message, a software message of communication problem, or any other message the programmers have made for you. Using Wireshark in this case will get you to the exact error and Google will show you the reason for it.
- In the next example, we see a status
STATUS_MORE_PROCESSING_REQUIRED(2) that happened during session setup (1) on\NAS01SAMIM(3).
- To see all SMB error messages, type the filter
smb.nt_status != 0x0. You will get all error responses, as shown in the following screenshot:
As we saw in the introduction to this section, NetBIOS provides three services: Net BIOS Name Service (NBNS), NetBIOS Datagram Distribution Service (NBDS), and NetBIOS Session Service (NBSS).
NBNS is the service that registers and translates names to IP addresses. Registration happens when a client registers its name in the domain controller. The client sends a registration request, and then gets a response whether the registration is OK or the name is registered with another device. Microsoft environment was implemented with WINS when most networks did not use it, and later it was replaced by DNS. It works over UDP port 137.
NBDS is used for service announcements by clients and servers. With this service, devices on the network announce their names, services that they can provide to other devices on the networks, and how to connect to these services. It works over UDP port 138.
NBSS is used to establish sessions between hosts, open or save files, and execute remote files and other sessions over the network. It works over TCP port 139.
There are additional protocols such as Server Message Block (SMB) that run over NBSS for transaction operations and over NBDS for service announcement, SPOOLS for printer requests, and several others. To get to the details of NetBIOS is beyond the scope of this book. In the case that you are required to troubleshoot NetBIOS protocols, follow the instructions in this section—pay special attention to error messages and notes.
In this section, I would like to show some examples to get a better understanding of the NetBIOS protocols.
In the following screenshot, we see the reason for an application freeze:
In the example, we make the following observations:
- A client with IP address that starts with
203is trying to connect to\NAS01SAMIMon a server with an IP address10.1.70.95, and gets back aSTATUS_ACCESS_DENIEDerror. - The client logs off and the server confirms it.
- Since the applications waits, TCP is holding the connection with keep-alive messages.
- After a while, the client sends disconnect requested that is approved by the server.
- The application waits and TCP maintains the connection with keep-alives.
- TCP closes the connection with
RST(Reset).
What the customer saw here was an application freeze.
In one of my client's networks, I got an urgent call that a remote office was disconnected from the HQ. Some network details are as follows:
- The remote office addresses are on subnet
172.30.121.0/24, with a default gateway172.30.121.254. - The HQ addresses are on subnet
172.30.0.0/24. The connections between the remote offices and the centre are with L3 IP-VPNs over MPLS network.
To solve the problem, I did the following:
- I tried to ping the servers in the HQ. I got no response.
- I called the service provider that provides the lines to the centre, and they said that on their monitoring system they don't see any load on the line.
- I pinged the local router,
172.30.121.254, and got no response. The meaning is that PCs on the LAN couldn't get to their local router, which is the default gateway. - I connected a Wireshark with port mirror to the router port, and I saw something like the following screenshot:
- I saw that a huge amount of packets are generated within microseconds (1) by a host with IP address
172.30.121.1. The packets are broadcast (3), and the service that generated them is Write Mail Slot (5), which is sent by the SMB Mailslot protocol (4). - To get the picture of the number of packets, I used the IO Graphs feature. I got 5000 packets per second, that generated 10 Mbps that block the poor old router port (changing the router port to 100 Mbps or 1 Gbps wouldn't help. It would have been blocked too).
- When I didn't find anything about it on Google or Microsoft, I started to stop services that I don't know, keeping track of what happened with the broadcast. Eventually, the service that caused the problem was called
LS3Bcast.exe. I stopped it, made sure it didn't come back and that was it.
