First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

netbios query in tracert capture

I have a 200 ms response to a tracert (Windows) query, which I need to understand. I ran a capture, and find multiple name queries (NBSTAT) before each group of pings.

I know the following:

NetBIOS over TCP is enabled

The source machine is on one domain, and the destination is on another

The source machine is on one subnet, and the destination is on another

I am using port mirroring on an HP enterprise switch, which is doing the routing

How do I figure out what is happening ?

big-bite's avatar
1
big-bite
asked 2018-04-04 17:20:25 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Hello big-bite

Don't know if this is still an issue.

To answer this question we need some information:

  • What operating system is the source system?
  • Do you specify the remote system by name or by IP address?

Assuming that you run tracert on a Windows system:

  • Do you use a WINS server? (probably not, check with ipconfig /all)
  • What NetBIOS node type is configured (probably H-node, check with ipconfig /all)
  • What is the name resolution policy?

Of course the most important question is: When do you migrate your legacy Windows hosts to a more recent operating system, that runs SMB2 (or better: SMB3).

Good luck

Eddi's avatar Eddi (2018-04-19 18:55:16 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Without having your packet trace to look at, the presence of the NBSTAT queries may or may not be related to your use of the Window tracert command. You might see DNS name queries as well.

When using Window's tracert command try adding the /d option ("Do not resolve addresses to hostnames") to your tracert command and see if your "NBSTAT" queries go away.

The default behavior for Window's tracert is to try to resolve the source IP address of any ICMP packet received. Starting with an ip.ttl==1, three outbound ICMP echo packets will be sent. Assuming that the target machine is not on the same IPv4 network segment, the first hop router will typically reply with ICMP TTL exceeded in transmit responses. Windows will then to determine the hostname of the device that sent these responses. Then the next set of three ICMP echo packets are sent with the ip.ttl increased by one and again by default Windows will try to determine the hostname(s) of these second set of responses and so on.

On many *nix-like systems the traceroute command typically uses the -n option for the same purpose as Window's tracert /d option. The man page for the traceroute on one of my Redhat system defines the -n option as "Do not try to map IP addresses to host names when displaying them.". Similarly on one of my macOS systems the -n option is defined as "Print hop addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup for each gateway found on the path).".

Interestingly on one my Ubuntu systems with GNU's inetutils based traceroute installed does not do name lookups by default. Instead one has to supply the long option --resolve-hostnames to actually force GNU traceroute to attempt the ip address to hostname lookups.

Jim Young's avatar
196
Jim Young
answered 2018-04-22 11:48:13 +0000, updated 2018-04-22 11:50:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer