Network Basic Input/Output System (NetBIOS) is a set of protocols developed in the early 1980s for LAN communications. A few years later, it was adopted by Microsoft for their networking over the LAN, and then it was migrated for working over TCP/IP (NetBIOS over TCP/IP, RFCs 1001, and 1002).
In today's networks, NetBIOS provides three services:
In this chapter, we will get into some common problems with the NetBIOS suite of protocols, and we will learn how to try and solve them. Since the NetBIOS set of protocols is quite complicated, and there are hundreds of scenarios of things that might go wrong, we will try to provide some guidelines for how to look for common problems and what might go wrong.
NetBIOS protocols work in the Windows environments, along with MAC and Linux machines communicating with Windows. When facing problems such as instability, slow response times, disconnections, and so on in these environments NetBIOS issues can be one of the reasons for it. When facing these problems, the tool for solving them is Wireshark. It will show you what runs over the network, and Windows tools will show you what runs in the clients and servers.
To try and find out what a problem could be, connect your laptop with the Wireshark to the network, and port mirror the suspected clients or server as described below. In the following sections, we will see several scenarios for several problems.
There are many predefined filters that are used with NetBIOS. You can find them by clicking on the Expression button, which is on the right-hand side of the Display Filters window.
First, take a general look at the network. Then, look for suspicious patterns:
nbns.flags.response == 0
. It will give you the NBNS requests. You will see many broadcasts, as shown in the following screenshot:WORKGROUP
and ETTI
. NBNS server will accept or reject the name registration by issuing a positive or negative Name Registration Response to the requesting node. If none are received, the requesting node will assume it is OK.169.254
(5). These are Automatic Private IP Addressing (APIPA) addresses. This actually means that the PC is configured to accept addresses automatically (by DHCP) and it has not received one.138
. Here, you will see that every station announces its capabilities: workstation, server, print server, and so on. For example, you can see here that:Here are some issues and problems you might see during usual operation:
0
means STATUS_OK
, when everything works fine and there is no problem. Any other code should be examined.STATUS_ACCESS_DENIED
. This is one of many error codes you should look for. In the example, access to \NAS01HOMEDIR
on a server with an IP address that starts with 203
(full address hidden due to security reasons) was denied.STATUS_MORE_PROCESSING_REQUIRED
(2) that happened during session setup (1) on \NAS01SAMIM
(3).smb.nt_status != 0x0
. You will get all error responses, as shown in the following screenshot:As we saw in the introduction to this section, NetBIOS provides three services: Net BIOS Name Service (NBNS), NetBIOS Datagram Distribution Service (NBDS), and NetBIOS Session Service (NBSS).
NBNS is the service that registers and translates names to IP addresses. Registration happens when a client registers its name in the domain controller. The client sends a registration request, and then gets a response whether the registration is OK or the name is registered with another device. Microsoft environment was implemented with WINS when most networks did not use it, and later it was replaced by DNS. It works over UDP port 137
.
NBDS is used for service announcements by clients and servers. With this service, devices on the network announce their names, services that they can provide to other devices on the networks, and how to connect to these services. It works over UDP port 138
.
NBSS is used to establish sessions between hosts, open or save files, and execute remote files and other sessions over the network. It works over TCP port 139
.
There are additional protocols such as Server Message Block (SMB) that run over NBSS for transaction operations and over NBDS for service announcement, SPOOLS for printer requests, and several others. To get to the details of NetBIOS is beyond the scope of this book. In the case that you are required to troubleshoot NetBIOS protocols, follow the instructions in this section—pay special attention to error messages and notes.
In this section, I would like to show some examples to get a better understanding of the NetBIOS protocols.
In the following screenshot, we see the reason for an application freeze:
In the example, we make the following observations:
203
is trying to connect to \NAS01SAMIM
on a server with an IP address 10.1.70.95
, and gets back a STATUS_ACCESS_DENIED
error.RST
(Reset).What the customer saw here was an application freeze.
In one of my client's networks, I got an urgent call that a remote office was disconnected from the HQ. Some network details are as follows:
172.30.121.0/24
, with a default gateway 172.30.121.254
.172.30.0.0/24
. The connections between the remote offices and the centre are with L3 IP-VPNs over MPLS network.To solve the problem, I did the following:
172.30.121.254
, and got no response. The meaning is that PCs on the LAN couldn't get to their local router, which is the default gateway.172.30.121.1
. The packets are broadcast (3), and the service that generated them is Write Mail Slot (5), which is sent by the SMB Mailslot protocol (4).LS3Bcast.exe
. I stopped it, made sure it didn't come back and that was it.18.119.158.134