A specific tool for Windows diagnostics, Nbtstat helps to determine problems with NetBIOS over TCP/IP protocols. Typically, it helps to determine and troubleshoot NetBIOS name resolution issues. Here, we’ll discuss some of the basic information on Nbtstat port issues and what might be causing problems on your PC — as well as how to fix them.
How Nbtstat works
Nbtstat typically uses the following TCP and UDP ports. They are two UDP ports: port 137, which is a name services port, port 138 for datagram services. additionally, nbtstat diagnoses TCP port 139 for session services. you can use several important commands to display NetBIOS information and name tables, including nbtstat -n, which shows the contents of the local PC NetBIOS name cache, and nbtstat -R, which releases names registered on the WINS server and will re-register these names.
In addition, the Nbtstat port command can show you protocol statistics and TCP/IP connections over NetBIOS through TCP. Thus, it is a very useful way to see IP addresses and other information. You can see local caches, WINS lookups, LMHOSTS files, as well as DNS server queries with this command.
What is NetBIOS?
In essence, NetBIOS is the network basic input and output system, an implementation in Windows to allow software on different devices to talk through LAN.
Strange IP addresses using nbtstat may be indicative of a virus
Sometimes you might see strange IP addresses showing up on your system and be concerned such addresses are indicative of a virus. Sometimes, this is true. Sometimes, it isn’t. Basically, if you have an infected machine, you might be dealing with system DLL issues, which are calling infected routines that send out strange packets over NetBIOS.
Check your router configuration as well. sometimes certain brands of routers will behave like DHCP relay servers, and in this case, the router will forward DHCP packets to IP helper addresses and to the critical UPD ports 137 and 138 — which nbtstat would show. You can easily fix this problem of forwarding NBNS packets to your DHCP server using a command as follows: “no ip forward-protocol udp 137.”
Default Windows behavior may leave systems vulnerable
The default behavior for Windows computers is to show their existence and name as well as any usernames and not require passwords to see this info. Even if your desktop doesn’t have public sharing enabled, your computer will continue to show the login name and workgroup to any device that is looking for it. Machines that have NetBIOS running on TCP/IP will listen on numerous different ports for SMB packets — and nbtstat can be used to display any devices currently running queries on an affected machine.
Use nbtstat to determine which ports are in use
However in some cases, infections can show with an nbtstat port request that look the same as normal requests. When nbtstats are answered, worms will show up on port 139 attempting to mount shares named “C” without any passwords. Then, worms can load themselves into vulnerable computer subdirectories — including, unfortunately, start up. One such malicious worm was known as network.vbs and can cause serious slowdown problems on different computers — even across a whole network.
Virus scanning software and protection is critical
If you are concerned about viruses on your TCP/IP configuration, it might be a good idea to run the nbtstat port command to determine what is running there, and what is being queried. This way you can determine if you’ll need virus protection software or a cleaning program to eliminate any malware running on affected machines over the network.