Home > Articles > Networking > Network Administration & Management

  • Print
  • + Share This
This chapter is from the book

NetBios

For historical reasons, Windows computers often use a protocol called NetBIOS. Although originally used only within LANs, NetBIOS has been extended so that it can run over TCP/IP, allowing organizations to provide Windows file- and print-sharing services across a WAN. A helpful command to identify a user over a network using NetBIOS is nbtstat. nbtstat is a standard component on all current Windows platforms, and a Linux version is also available.8

From your remote computer you can run this command against either the suspect's IP address:

nbtstat –a 123.456.789.000 
or against a specific machine name: 
nbtstat –A suspect.computer.com 

nbtstat displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). If the remote computer is reachable over the network, you can receive the following information:

NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S] [interval]

-a

(adapter status)

Lists the remote machine's name table given its name

-A

(Adapter status)

Lists the remote machine's name table given its IP address.

-c

(cache)

Lists the remote name cache including the IP addresses

-n

(names)

Lists local NetBIOS names.

-r

(resolved)

Lists names resolved by broadcast and via WINS

-R

(Reload)

Purges and reloads the remote cache name table

-S

(Sessions)

Lists sessions table with the destination IP addresses

-s

(sessions)

Lists sessions table converting destination IP addresses to host names via the hosts file.

RemoteName

Remote host machine name.

IP address:

Dotted decimal representation of the IP address.

Interval:

Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics.


If a user is logged into the computer, you receive output similar to that shown in Figure 2-17. As you can see, it provides the machine name, the Windows NT domain the computer is registered in (in this case, a domain named "security"), and the MAC address. Since the MAC address is unique, it is a positive method of identifying a computer after it has been seized. Unless the NIC is swapped out, you have a promising lead that this is the computer you're looking for. nbtstat is a handy command because it enables you to associate a user with an IP address and then copy and paste that information into a document that you can print.

Figure 2-17 nbtstat output

We mostly use the nbtstat command from within our network since nbtstat issues a User Datagram Protocol (UPD) request and is blocked by default on many firewalls. Don't be surprised if you can ping the system, but an nbtstat returns "host not found" on a computer you know to be a Windows platform.

  • + Share This
  • 🔖 Save To Your Account