Configure IT Quick: Use Nbtstat to gather NetBIOS information

Nbtstat allows you to access the NetBIOS name tables for your Windows network.

Nbtstat is a Windows command-line application that allows you to access the NetBIOS name tables for your Windows network. Let's take a look at how you can use the tool—as well as a companion tool—and see why it can be a valuable part of your administrator toolkit.

Getting started with Nbtstat
Nbtstat is located in the %SystemRoot%\System32 folder of default installations of Windows NT, 2000, XP, and .NET Server. Typing nbtstat at a command prompt should automatically resolve the location and display the Nbtstat help file. Syntax is the same across Windows versions.

One of the simplest actions you can perform with Nbtstat is to list your NetBIOS Remote Cache Name Table. This will tell you what computers are in your current NetBIOS cache. Entries are put into the NetBIOS cache based on traffic of any sort between your computer and the remote computer. This could be file access, a client/server application, or even a ping. These activities populate the NetBIOS name cache and have a specific life (expiration) in seconds. Once the life expires, the names are removed from the cache.

You can access the NetBIOS Remote Cache Name Table by typing nbtstat –c. Figure A shows how the computer AMIE dropped off my cache list in the 28 seconds between the two executions of the nbtstat –c command.

Figure A

Nbtstat provides a number of options for getting NetBIOS information:
  • Adapter status (-a for name, -A for address) lists a remote NetBIOS table.
  • Cache (-c) lists a local cache of remote devices.
  • Names (-n) lists local NetBIOS names.
  • Resolved (-r) lists WINS names and broadcast names.
  • Reload (-R) purges the remote cache name table.
  • Session (-s for name, -S for address) displays the sessions table and destination name or address.
  • Release and Refresh (-RR) sends release packets to WINS and starts a refresh.

Let’s take a closer look at two functions you can perform with Nbtstat. First, we'll look at the reload (-R) function.

Reload allows you to clear your current cache of names and addresses before they're set to expire, which can be helpful if you are changing names or addresses for a device over the network. To execute the reload function, simply type nbtstat –R. Clearing your cache when you know there is a change is a good practice to follow, especially on an administrator's workstation. Figure B shows the display of the NetBIOS cache, the reload, and the display of the cache after the reload (empty).

Figure B

Remember that Nbtstat parameters are case sensitive. Thus, using Nbtstat with an -r parameter yields entirely different results than the previous example. Typing nbtstat –r will give you a list of resolved addresses, as shown in Figure C.

Figure C

This displays each Windows computer I have resolved on my network (except my local workstation—I would use nbtstat –n for my names). In this case, Nbtstat is displaying every Windows computer running NetBIOS. However, I do not have a WINS server on my network, so it lists that 0 of my addresses have been resolved by a name server.

Now examine Figure D. It shows a Windows NT 4.0 list of names resolved by broadcast and WINS on a different network. The resolved -r option can provide you a mechanism to check that your name resolution is using WINS if you want it to. If WINS is your name resolution mechanism, the Registered By Name Server field should be populated.

Figure D

No authentication necessary
To run NetBIOS name tools like Nbtstat and NBTScan (described next), authentication on the Windows computers is not required. That's handy if you have many domains to administer. However, NBTScan is a better NetBIOS name tool for multiple subnets, multiple locations, or for running over a VPN connection.

Another NetBIOS name tool
A number of tools on the Internet provide NetBIOS name services, but one of my favorites is NBTScan. Although it's not a Microsoft tool, NBTScan also scans a network for NetBIOS name information and provides some nice features. Plus, the tool is a freeware title available for download.

The two features of NBTScan I like most are its ability to write results in the format of an Lmhosts file and to scan an entire network (any network you can connect to) for NetBIOS names, MAC addresses, and TCP/IP addresses. I generally find this tool is a little more helpful than Nbtstat. Figure E offers a look at NBTScan's output.

Figure E

I usually schedule these types of scans to run multiple times throughout the day to see if any suspicious computers appear on the network. Depending on your network, this tool will also show VPN clients.

One limitation with these NetBIOS tools is that they cannot resolve non-NetBIOS enabled devices. In Figure E, the NetBIOS name field for four devices indicates "Recvfrom failed: Connection reset by peer." That's because these are UNIX systems and do not natively support NetBIOS. If NetBIOS is disabled on a Windows system, the same message will appear.

Final word
Nbtstat and NBTScan can come in quite handy. NetBIOS is still a default name resolution scheme in Windows 2000 and .NET, so it is going to be part of our Windows networks for some time. Having an understanding of what Nbtstat and NBTScan can do will help you better manage your network and its traffic.



Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

Editor's Picks

Free Newsletters, In your Inbox