NetBIOS and TCP/IP
NetBIOS provides name services, datagram services, and session services. Initially NetBIOS referred to computer names only. As networks grew large with many users, NetBIOS names were added for the user and the workgroup or domain. The NetBIOS username allowed a user to receive a message. The workgroup or domain name was added in order to group different systems under a common name to provide easier browsing, manageability, and domain security in the Windows NT domain model. In this excerpt, Dr. Karanjit Siyan describes the relationship between NetBIOS and TCP/IP.
This article is excerpted from Chapter 26 of TCP/IP Unleashed by Karanjit Siyan (Sams Publishing: ISBN 0672323516).
This chapter is from the book
This chapter is from the book
This chapter is from the book
NetBIOS provides name services, datagram services, and session services (see Table 26.1). When NetBIOS is run over Transmission Control Protocol (TCP), the name and datagram services use ports 137 and 138 of the User Datagram Protocol (UDP) Transport Layer protocol. The session services use port 139 of the TCP Transport Layer protocol. Name and datagram services use UDP because the nature of the traffic generated by these services tends to be request-reply oriented. Also, name services make frequent use of broadcasts to resolve names, and UDP is better suited than TCP for handling broadcasts. On large networks, broadcasts can be a problem because they can lead to broadcast storms. For this reason, many routers are configured by default to block broadcasts. The procedure for configuring a router to block broadcasts is router specific.
Table 26.1 NetBIOS Services
|
Service Name |
Port |
Protocol |
Short Name |
|
NetBIOS Name Service |
137 |
UDP |
nbname |
|
NetBIOS Datagram Service |
138 |
UDP |
Nbdatagram |
|
NetBIOS Session Service |
139 |
TCP |
Nbsession |
The session services in NetBIOS use TCP; TCP guarantees data delivery, whereas UDP does not. Also, the model of a TCP session more accurately reflects the behavior of a NetBIOS session. Both TCP and NetBIOS issue open primitives to open a connection and the close primitive to close a connection.
A given computer can have several processes. Processes that provide services are application services. Some of these application services are registered as NetBIOS names. Windows 2000 allows as many as 250 NetBIOS names to be registered on a computer. Some examples of application services on a Windows computer are
Server Service—Identifies the application service that is running; typically refers to the service that allows the sharing of files and printers on the computer.
Workstation Service—Enables a workstation to act as a client and use services provided by the server service on another computer.
Messenger Service—Receives and displays messages for names registered on the computer.
The maximum length of NetBIOS names is 16 characters. The first 15 characters specify the NetBIOS name, and the last character is a byte that specifies the type of the NetBIOS name. This 1-byte identifier can have a value from 0 to 255. The following list shows the names of some services that can be registered (the numbers in brackets are the hexadecimal values of the 1-byte identifiers):
Computername[0x00]—The Workstation service registered for the computer
Computername[0x03]—The Messenger service registered for the computer
Computername[0x06]—The remote access service (RAS) Server Service registered for the computer
Computername[0x1F]—The NetDDE Service registered for the computer
Computername[0x20]—The Server service registered for the computer
Computername[0x21]—The RAS Client service registered for the computer
Computername[0xBE]—The Network Monitor Agent service registered for the computer
Computername[0xBF]—The Network Monitor Application service registered for the computer
Domainname[0x00]—Registers the computer as a member of the domain name or workgroup
Domainname[0x1E]—Used to facilitate browser elections
Domainname[0x1B]—Registers the computer as the domain master browser
NetBIOS Evolution
Initially NetBIOS referred to computer names only. There was only a single user for a computer. A message sent to the computer was received by the sole user on the computer.
As networks grew large with many users, NetBIOS names were added for the user and the workgroup or domain. The NetBIOS username allowed a user to receive a message. If more than one instance of the username existed (if the user logged in several times), only the first username that was registered received the message.
The workgroup or domain name was added in order to group different systems under a common name to provide easier browsing, manageability, and domain security in the Windows NT domain model. These group names are registered as NetBIOS names on the network.
In Windows 2000, NetBIOS is still used when you are using mixed-mode domains that include Windows NT domains and computers. This is the reason NetBIOS is discussed in this section.
In a native Windows 2000 domain, there is no need to configure or use NetBIOS because name resolution is performed using DNS.
Because Active Directory in Windows 2000 is self-configuring, no additional configuration needs to be done. However, Active Directory does depend on DNS, which must be configured separately.
Domainname[0x1C]—Registers the computer as a domain controller
Domainname[0x1D]—Registers the computer as the local subnetwork's master browser
Username[0x03]—The username registered by the messenger for the logged-on username
Group—The group name
\\—__MSBROWSE__[01h]—The master browser
For example, consider that user Phylos on Windows 2000 Professional workstation WS1 in domain KINETD wants to retrieve files from a Windows 2000 server named ADS, using the universal naming convention (UNC) name of the file, \\ADS\sharename. The username "Phylos [0x03]" uses the workstation service with NetBIOS name "WS1 [0x00]" to be first authenticated by the domain controller with the NetBIOS name "KINETD [0x1C]." After the authentication, the workstation service "WS1 [0x00]" communicates with the server service "ADS [0x20]" to retrieve files.
Types of Name Resolution Methods
Windows 2000 name resolution methods can be grouped into these categories:
Standard resolution, sometimes called host name resolution
Specific resolution, sometimes called NBT NetBIOS name resolution
These methods are discussed in the following sections.
Standard Resolution
The standard resolution method is used by UNIX systems and software ported from UNIX to the Windows environment. The standard resolution method is performed in this order:
Local hostname
Using the HOSTS file
Using DNS
NetBIOS name resolution, if DNS fails
The local host is the name of the locally configured machine. The name to be resolved is first checked to determine whether it is the name of the local machine.
NOTE
DNS Client Service
In Windows 2000, DNS name resolution is performed by the DNS Client service. This service implements the DNS resolver, which issues the Windows socket calls gethostbyname() and getnamebyhost().
If the name to be resolved is not that of the local machine, the HOSTS file is consulted. The HOSTS file is a table of mappings of IP addresses and hostnames. The format of the HOSTS file is taken from the 4.3 Berkeley Software Distribution (BSD) UNIX HOSTS file. The HOSTS file is consulted by applications such as Telnet, FTP, and ping. The HOSTS file is not kept at a central location. Instead, each computer is required to maintain its own HOSTS file. If it is to be changed for the network, it must be changed on all computers on the network.
If the name to be resolved is not found in the HOSTS file, a name query is sent to the DNS server. The DNS servers hold, among other things, the name-to-IP-address mappings in a distributed database on the network. Most DNS servers on the Internet are UNIX based, although DNS implementations are available on platforms, such as Windows 2000.
Specific Resolution
The specific resolution method is unique to Windows networks. It consists of a combination of these methods:
- Local broadcast
- WINS
- LMHOSTS file
The local broadcast is a broadcast request sent on the local network requesting the IP address of the name that is to be resolved. The computer that recognizes its name in the broadcast request responds with its IP address. If no such computer exists, no response to the broadcast is received and the local broadcast is unable to resolve the name to its IP address. The local broadcast is also called the broadcast node (b-node) name resolution method.
The WINS is an example of a NetBIOS Name Server (NBNS). The most common example of NBNS is the WINS implementation on Windows NT and Windows 2000 servers. NBNS name resolution is specified by Request for Comments (RFCs) 1001 and 1002.
NOTE
HOST Files
Hosts files are not commonly used on most networks, but are used on very small networks. DNS is more commonly used for name resolution for TCP/IP applications.
An Optimization Technique for Name Resolution
Before doing name resolution, a check is made if the NetBIOS name being resolved is a local name, in which case no name resolution needs to be done.
The results of previous name queries are stored in the name cache. Before performing a name resolution, a check is also made to see whether the answer is already in the name cache—if it is, the name resolution is not attempted.
The LMHOSTS file is a table of mappings between IP addresses and NetBIOS names. The structure of the LMHOSTS file is similar to the HOSTS file, with the added distinction that it contains a number of additional directives to make name resolution configuration easier. Windows 2000 checks the LMHOSTS file only when other name resolution methods fail.
The exact order in which the specific name resolution method is implemented depends on the name resolution configuration for the Windows 2000 computer. These name resolution methods include b-node, peer node (p-node), mixed node (m-node), and hybrid node (h-node). The following list describes each method:
In the b-node name resolution, only broadcast packets are used for name registration and resolution. Because broadcasts can quickly flood the network, this name resolution mode is best used for small local networks that do not have a WINS server. To configure your network to use this mode, ensure that no WINS servers are on the network and that the Windows computers are configured to not use WINS. That is, for the Windows client computers, ensure that you do not specify the IP address of a WINS server.
The p-node name resolution uses WINS servers exclusively to resolve names. If the name cannot be resolved using WINS, other name resolution methods are not attempted.
The m-node name resolution is a combination of b-node and p-node methods. First, the b-node name resolution method is attempted. If the b-node fails, the client resorts to using p-node name resolution. This method tends to generate broadcast traffic first and then attempt WINS resolution. It is suitable for small networks that have a WINS server and where it is known that the WINS server's database has not been updated for some time with new hostname entries.
The h-node name resolution is also a combination of b-node and p-node methods. However, this method first tries the p-node name resolution. If the p-node method fails, the client resorts to using b-node name resolution. This method tends to generate broadcast traffic as a last resort because the first attempt is to contact a WINS server. This method, the most efficient, is suitable for larger networks that have a reliable WINS server and in which it is known that the WINS server's database has been updated with new hostname entries.
NOTE
LMHOSTS files are not commonly used on most networks, but are used on very small networks. DNS is more commonly used for name resolution for TCP/IP applications.
B-node broadcasts work only on local subnets unless the connecting routers to other subnets are enabled to forward broadcasts.
Note that in the p-node and b-node methods, either the p-node or b-node method is attempted. If these methods fail, the other methods, such as LMHOSTS, are still attempted.
You could use the m-node type for small regional offices on the far side of a WAN link, if they have local resources or servers.
Configuring the NetBIOS Name Cache
A Windows 2000 computer requesting name resolution first consults a special area in memory, the NetBIOS name cache. This data area contains a list of computer names and their IP addresses. Because this information is cached in memory, found information is quickly retrieved. The name cache entries come from two sources:
Answers to resolved name queries
Preloading of the name cache from the LMHOSTS file using the #PRE directive
With the exception of the preloaded name cache entries, all other entries are timed out and flushed from the cache. The default timeout period is ten minutes. Readers familiar with the Address Resolution Protocol (ARP) will recognize that the NetBIOS name cache acts in a similar manner.
To purge and reload the name cache, you can use this command:
Nbtstat -R
The –R option is case sensitive. Another option, –r, is used for displaying name resolution statistics.
The two Registry entries that can be used to configure the name cache parameters are under this Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Node-Type Best Practices
For small networks with low network traffic and a lack of qualified administrators, using the b-node method for name resolution is adequate.
For larger networks, the h-node method is the most efficient because it tries direct name resolution using WINS first (p-node). Only when WINS fails to resolve the name is the b-node method attempted. For a properly configured WINS server, the h-node method generates the least amount of network traffic.
The name cache entries are
Size/Small/Medium/Large. This entry is used to specify the number of names kept in the name cache. The settings are for small, medium, and large. Small corresponds to a value of 1 and sets the name size cache to 16 names. Medium corresponds to a value of 2 and sets the name size cache to 64 names. Large corresponds to a value of 3 and sets the name size cache to 128 names. The default value is 1, which is adequate for many networks. The parameter type is REG_DWORD.
CacheTimeout. This entry is used to specify the number of seconds an entry will remain in the name cache. The default value is 0x927c0 (600,000 seconds, or ten minutes), which is adequate for many networks. The parameter type is REG_DWORD.
These parameter entries and others for NetBT are shown in Figure 26.13. Note that if a Registry parameter value is not listed, its default value is taken.
){kind=link}
Figure 26.13 NetBT Parameters entry keys.
Configuring the Name Broadcasts
If the name resolution process does not find the name to be resolved in the name cache, it might send a broadcast if it is configured as b-node, m-node, or h-node. NetBIOS broadcasts a Name Query packet to the local network on UDP port 137 (refer to Table 26.1). Every computer on the local subnet processes the broadcast packet. If a computer on the network is configured for the NetBIOS over TCP/IP (NetBT) protocol, the NetBIOS module in the computer receives the broadcast. The NetBIOS module compares the name request with the name of the registered NetBIOS names. If there is a match, the NetBIOS module sends a Positive Name Query Response packet.
Receiving more than one response indicates a duplicate NetBIOS name, which is reported on the computer console of the computer that receives the response. It is interesting to note that the Name Query broadcast is processed by every computer up to the Session Layer, whether or not the computer has the answer. Therefore, the broadcast not only generates network traffic but also results in wasted central processing unit (CPU) cycles on many computers.
The two Registry entries that can be used to configure the name query broadcast parameters are under this Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
The broadcast entries are
BcastNameQueryCount. This entry is used to specify the number of times the system tries to send a Name Query broadcast. The default value is 3, which is adequate for networks with small to moderate network traffic loads. The parameter type is REG_DWORD.
BcastQueryTimeout. This entry is used to specify the number of seconds to wait before retrying the Name Query broadcast. The default value is 7.5 seconds and is listed in 1/100-second intervals. The parameter type is REG_DWORD.
Configuring the LMHOSTS File
On small Windows 2000 networks (with as many as 30 computers) that use NetBIOS over TCP/IP, the name resolution for computer names typically is provided by the b-node method or the LMHOSTS file. If you have WINS servers on the networks, it is not necessary to use the LMHOSTS file, except as a backup. The use of LMHOSTS is adequate for small networks, where maintaining the LMHOSTS file is a simple task. On larger networks, however, keeping the LMHOSTS files updated can become a laborious task, and you should consider other name resolution techniques, such as DNS or WINS.
NOTE
Recommendations for Reducing Network Traffic Caused by Repeated Unresolved Name Queries
If network traffic loads are consistently high and you see repetitions of the same unresolved NetBIOS name query, you should consider increasing the BcastNameQueryCount and BcastQueryTimeout parameters. For the BcastQueryTimeout parameter, increase the value by 0.5 to 1 second; for the BcastNameQueryCount parameter, increase the value by 1. You can monitor network traffic by using a protocol analyzer tool, such as Network Monitor, which comes with Windows 2000 Server and System Management Server (SMS).