Troubleshooting Tools and Strategies

NBTStat is a command-line tool for troubleshooting NetBIOS name over TCP/IP (NetBT) resolution problems. It displays protocol statistics and current TCP/IP connections using NetBT.

When a network is functioning normally, NetBT resolves NetBIOS names to IP addresses. It uses several options for NetBIOS name resolution, including local cache lookup, WINS server query, broadcast, Lmhosts lookup, Hosts lookup, and DNS server query.

Run NBTStat from a command prompt rather than from Windows Explorer to see the resulting display.

NBTStat Syntax

The command-line syntax for NBTStat is as follows:

nbtstat [-a RemoteName] [-A IP address] [-c] [-n]

[-r] [-R] [-RR] [-s] [-S] [interval]

RemoteName Remote host machine NetBIOS name.

IP address Dotted decimal representation of the IP address.

interval Redisplays selected statistics, pausing interval seconds

between each display. Press Ctrl+C to stop redisplaying


NBTStat Switches

NBTStat removes and corrects preloaded entries using case-sensitive switches as shown in Table 31.25.

Table 31.25 NBTStat Switches




-a <NetBIOS name >

Adapter status by NetBIOS name

Returns the NetBIOS name table and media access control (MAC) address of the address card for the specified computer name.

-A <IP address >

Adapter status by IP address

Lists the same information as -a when given the target's IP address.



Lists the contents of the NetBIOS name cache.



Displays the names registered locally by NetBIOS applications such as the server and redirector.



Displays a count of all names resolved by broadcast or WINS server.



Purges the name cache and reloads all #PRE entries from LMHosts.


Release Refresh

Sends name release packets to the WINS server and starts a refresh, reregistering all names with the name server.


Sessions by NetBIOS names

Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names.


Sessions by IP address

Lists the current NetBIOS sessions and their status, with the IP addresses.

[Number ]


Redisplays selected statistics at intervals specified in seconds, pausing between each display. Press CTRL+C to stop redisplaying statistics.



Displays this list.

NBTStat output is in the form of a table. For example, nbtstat -S lists the current NetBIOS sessions by IP address, including status, as in the following example:

Local Area Connection:

Node IpAddress: [] Scope Id: []

NetBIOS Connection Table

Local Name State In/Out Remote Host Input Output


TESTPC1 <00> Connected Out 6MB 5MB

TESTPC1 <00> Connected Out 108KB 116KB

TESTPC1 <00> Connected Out 299KB 19KB

TESTPC1 <00> Connected Out 324KB 19KB

TESTPC1 <03> Listening

The following example shows a sample NetBIOS name table for a client running Windows 2000 Professional on a Windows 2000 Server – based network, using the nbtstat -n command. This example shows the sixteenth byte for special names, plus the type of NetBIOS name (unique or group).

Local Area Connection:

Node IpAddress: [] Scope Id: []

NetBIOS Local Name Table

Name Type Status --------------------------------------------- WIN2KPROF <00> UNIQUE Registered NOAM <00> GROUP Registered WIN2KPROF <03> UNIQUE Registered WIN2KPROF <20> UNIQUE Registered NOAM <1E> GROUP Registered USER1 <03> UNIQUE Registered

In this example, the following NetBIOS special names are identified:

  • computer \0x00 (shown as <00> in the example) indicates the computer name associated with the Workstation service.

  • domain \0x00 indicates the domain to which this computer belongs.

  • computer \0x03 indicates the computer name associated with the Messenger service.

  • computer \0x20 indicates the computer name associated with the Server service.

  • domain \0x1E indicates that this computer can serve as a backup browser in this domain.

  • username \0x03 ** displays the user name of the account currently logged on to the computer.

Possible NetBIOS special names found in NBTStat are described in Table 31.26.

Table 31.26 Samples of NetBIOS Special Names

Special Name


Registered unique user name:



Registers the name of the user currently logged on in the WINS database so net send commands can be sent to specified user names.

Registered unique computer names:



Used by Microsoft networking workstations to receive second-class mailslot requests. This is the computer name registered for workstation services by a WINS client and is needed to receive mailslot requests.


The computer name registered for the Messenger service on a WINS client.


The name registered for the Server service on a Windows 2000–based WINS client.


The unique name registered when the Network Monitor agent is started on the computer.


The group name registered when the Network Monitor agent is started on the computer. If this name is not 15 characters in length, it is padded with plus (+) symbols.


The unique name registered for network dynamic data exchange (NetDDE) when the NetDDE service is started on the computer.

Registered group names:



Used by master browser servers to periodically announce their domain on a local subnet. This announcement contains the domain name and the name of the master browser server for the domain. In addition, master browser servers receive the domain announcements sent to this name and maintain them in their internal browse list with the announcer's computer name.


Used by workstations and servers to process server announcements to support NTLM. Servers running Microsoft Windows for Workgroups, Windows 95, Windows 98, Windows NT, and Windows 2000 do not broadcast this name unless the LMAnnounce option is enabled in the server's properties.


Used to identify the domain master browser name, which is a unique name that only the domain controller can add. The domain controller processes GetBrowserServerList requests on this name. WINS assumes that the computer that registers a domain name with the <1B> character is the domain controller. The 1B entry is resolved when the NetGetDcName function is called.


Used for the internet group name, which the domain controllers register. The internet group name is a dynamic list of up to 25 computers that have registered the name. This is the name used to find a Windows 2000 domain controller for pass-through authentication. The 1C entry is resolved when the NetGetAnyDcName function is called.


Used to identify a segment master browser (not a domain master browser). The master browser adds this name as a unique NetBIOS name when it starts. Workstations announce their presence to this name so that master browsers can build their browse list.


Used for all domain-wide announcements by browser servers in a Windows 2000–based server domain. This name is added by all browser servers and potential servers in the workgroup or domain. All browser election packets are sent to this name.