Wrangling NetBIOS With the nbtstat Utility

Published:21 May 2021 - 5 min. read

Elly Obare Image

Elly Obare

Read more tutorials by Elly Obare!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

If you’re facing an issue with NetBIOS name resolution, troubleshooting it can be quite complex. But, did you know that there’s a tool that can help troubleshoot these problems? This tool is the nbtstat command-line utility.

In this article, you’ll learn how to use the nbtstat utility to retrieve NetBIOS statistics. The results can then help you analyze NetBIOS name resolution problems and potentially lead you to fix them.

Dust off your command-line skills and let’s get cracking!

Prerequisites

If you’d like to follow along in the practical bit, be sure to have the following:

  • A Windows 10 PC or Windows Server 2012 and later versions. This article will use Windows 1909 version with an OS Build 18363.
  • Throughout this article, you will be using an elevated CMD prompt (run as admin) and assume that you already have one opened. You can also use an elevated PowerShell session if you prefer.

Using nbtstat

nbtstat is an external command-line utility that enumerates NetBIOS statistics and displays name tables for local and remote devices in a network. nbtstat has switches that come in handy when troubleshooting NetBIOS connections and name resolution issues.

Getting Help

Like any undertaking, knowing that there’s a help system you can refer to is critical, especially when you’re at your wit’s end. Luckily, nbtstat has a built-in help reference.

To view the nbtstat help, run the command below in the command prompt.

nbtstat -?

As a result, you should see a similar output below, showing you the different switches and the explanation.

Getting nbstat help
Getting nbstat help

Apart from the built-in help, nbtstat has an online documentation too!

Displaying A Remote Machine’s NetBIOS Name Table

Note: The nbtstat switches are case-sensitive. A switch such as -a is not the same as -A.

Running nbtstat with the -a switch allows you to list a remote machine’s NetBIOS name table. When using this switch, append the remote machine’s name to the command.

For example, to display the NetBIOS name table of DESKTOP-7F4L706, run the command below in the command prompt.

nbtstat -a DESKTOP-7F4L706

As a result, the machine table shows the remote device name, the registration status, and whether the devices belong to any workgroups or not, as shown below.

Displaying the NetBIOS name table using the -a switch
Displaying the NetBIOS name table using the -a switch

Another switch that displays the same details is the -A switch. Instead of specifying the computer name at the end of this switch, you have to specify the remote computer’s IP address. This switch can be useful if the remote computer’s name is not resolvable.

For example, to display the NetBIOS name table of the remote machine at 192.168.1.111, run the command below in the command prompt.

nbtstat -a 192.168.1.111

As you can see below, the result is the same as when you use the -a switch.

Displaying the NetBIOS name table using the -A switch
Displaying the NetBIOS name table using the -A switch

Displaying The Local Machine’s Name Table

Running the nbtstat command with the -n switch enumerates computers’ NetBIOS name table of your local PC (locally). Using the -n switch also identifies if the named devices were registered through broadcast or a name server.

To view the local machine name table, run the command below in the command prompt.

nbtstat -n

You should see a similar output as below, showing you the local machine name table.

Displaying Local Machine Name Table
Displaying Local Machine Name Table

Displaying The NetBIOS Remote Name Cache

The -c switch lists the contents of the NetBIOS remote name cache. The name cache is a memory location that stores NetBIOS names with their corresponding IP addresses.

This switch primarily displays the name cache of machines and their IP addresses. To display the NetBIOS name cache, run the command below in the CMD.

nbtstat -c

As you can see below, the result shows the NetBIOS names and their corresponding IP addresses.

Displaying the NetBIOS remote name cache
Displaying the NetBIOS remote name cache

When using this -c switch, you may encounter a ‘no host name response’ result to show no listed and resolved names in the NetBIOS name cache. This result is common in modern networks where name servers such as WINS are no longer in use.

Displaying NetBIOS Name Resolution and Registration Statistics

The nbtstat -r command is a widely used switch when checking NetBIOS name resolution statistics. The -r switch shows the number of NetBIOS names that have been resolved to TCP/IP addresses.

The result is divided according to the mode of name resolution and registration, where the names resolved through broadcast appear first, followed by the names resolved by a name server.

To display the NetBIOS name resolution statistics, type the command below in the CMD.

nbtstat -r

You should see a closely similar output as below, showing you all the information about name resolution and names registered.

Displaying the NetBIOS name resolution statistics
Displaying the NetBIOS name resolution statistics

The -r switch is essential for diagnosing WINS server configuration problems. A common indication of a problem is when the number of devices resolved and registered through a name server is always zero despite a connection to a name server being present.

Additionally, the switch -r lists all the NetBIOS unique names and their Hex IDs depending on how they were registered and resolved.

Displaying NetBIOS Sessions

The -s switch displays the NetBIOS client and server sessions. The result shows a table converting the destination IP address to the computer’s NetBIOS name.

On the other hand, the -S switch lists both workstation and server sessions of the remote devices using the destination IP address only.

You do not have to specify any value to both these switches. To display the NetBIOS session, run the commands below in the command prompt.

nbtstat -s
nbtstat -S

As you can see below, the result for both commands is No Connections, which means there are no current NetBIOS sessions.

Displaying NetBIOS Sessions
Displaying NetBIOS Sessions

Displaying NetBIOS Statistics Continuously

Suppose you want to monitor a specific NetBIOS statistic at an interval. To do so, you don’t have to manually rerun the nbtstat command every time. You can append the interval (seconds) you want to the nbtstat command and the display will refresh automatically.

For example, to refresh the NetBIOS sessions every 30 seconds, run the command below in the command prompt.

nbtstat -s 30

To stop displaying the statistics, press CTRL+C to exit the interval loop.

Purging The NetBIOS Name Cache

In cases where NetBIOS name cache entries appear to be wrong, you may correct the problem by purging the NetBIOS name cache.

Running nbtstat with the-r switch allows administrators to purge the NetBIOS name cache before reloading correctly named entries as present in the Lmhosts file.

To purge the name cache table, run the command below in the command prompt.

nbtstat -R

The screenshot below shows the expected result after purging the name cache table.

Purging the name cache table
Purging the name cache table

Releasing And Refreshing NetBIOS Names

The nbtstat -RR releases and then refreshes NetBIOS names for the local computer registered with WINS servers.

To refresh and release the NetBIOS names, type the command below in your CMD and check the output.

nbtstat -RR

The example below shows the expected output after refreshing the NetBIOS names that the computer registered.

Releasing And Refreshing NetBIOS Names
Releasing And Refreshing NetBIOS Names

Conclusion

The nbtstat utility may be an old tool but indispensable when dealing with NetBIOS. In this article, you’ve learned how to use nbtstat with its many switches to retrieve information regarding NetBIOS.

With nbtstat, you can take out the guesswork in troubleshooting and start analyzing NetBIOS statistics based on data. Do you think you’d be using this tool or is there a better alternative for you?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!