[jcifs] NetBIOS Name Table

Christopher R. Hertel crh at ubiqx.mn.org
Tue Feb 4 06:48:32 EST 2003


Careful, here.  Two or more NBT kludges are being confused.  :)

The "Called" and "Calling" names are used in the NBT Session Setup.  They
are, basically, the "Destination" and "Source" NBT addresses of the session.

The NBT Adapter Status query is supposed to return the list of all
registered NetBIOS names.  Imagine a "virtual" NetBIOS LAN Adapter (LANA,
known today as a NIC).  The "virtual" LANA is part of the (virtual) physical
layer of the NetBIOS LAN.  It keeps a table of the locally registered
addresses.

...and here is where things get kludgy...

NetBIOS names are registered by services.  One such service is the SMB
"Server Service", which does the actual filesharing.  The "Server Service"
name is generally <machine>#20 (that's the name of the machine with a suffix
byte value of 0x20).

When setting up an SMB session, the first step is typically the creation of
an NBT session (if you are using port 137 and NBT transport instead of port
445 and naked TCP transport...Geez I hate this stuff).  The NBT session is
created using the NBT Session Setup Request.  The NBT Session Setup Request
needs a source and destination address (NetBIOS names) and the Calling
(source) name is typically <client>#00 (that's the client's machine name
with a suffix byte value of 0x00).  The Called (destination) address is
typically <server>#20 (as decribed above).

Thing is, the client doesn't always know the server's machine name. 
Consider:

  smb://192.168.101.52/share/path/file.spoo

No NetBIOS name in there...

Samba doesn't actually care whether you get the Called and Calling names
right.  Samba ignores those fields.  Windows, however, likes to make sure
that the Called name matches the service you're actually trying to reach. 
(I'm afraid I have to agree with Windows on this one.)

So, given the above example...  we've got a problem.  How do we find the
correct Called name to make Windows happy?

There are three ways:

  1)  One way is to reverse-map the IP to a DNS name (or, if you had a DNS
      name in the first place, use that).  Try the first label of the DNS
      name.  If the DNS name is handy, then this will be quick.  If not,
      then you'll waste time doing a DNS reverse lookup.  Also, the DNS
      hostname of a node is *not necessarily* the same as its NetBIOS name.

  2)  Use the name "*SMBCLIENT" as the Called name.  Newer Windows systems
      allow "*SMBCLIENT"#20 as an alias for <server>#20.  Note that this
      is an *illegal* NetBIOS name under NBT and it is never registered.
      It will not show up in the Adapter Status Query Response.

  3)  Send an Adapter Status Query and look for unique names with a #20
      suffix in the response.

Okay, so one more thing...  How do you send an Adapter Status Query to a
node if you don't know it's NetBIOS name?  Well, there's yet another
"illegal" NetBIOS name: "*".  The asterisk (followed by 15 nul bytes) is the
wildcard name.  So, given an IP address, you can send an Adapter Status
query to a node using the wildcard name as the query name.

Again, the wildcard name is never registered.  If you send a name query for
that name, you will get a positive response, but the name is never listed in
the adapter status response.

None of that really addresses the issue, but it's necessary background
information.

You can find more online:  http://ubiqx.org/cifs/NetBIOS.html
...and the list of suffix byte values is at: 
http://ubiqx.org/cifs/Appendix-C.html

I also have a testing tool in C that plays with both name queries and
adapter status (node) queries:  http://ubiqx.org/libcifs/
Note that there is *no* makefule and *no* documentation on the libcifs
stuff.  It's for developers only.  If you can read C you'll be able to
figure it out.  :)

Chris -)-----

A few more in-line comments below...

andrea.lanza at frameweb.it wrote:
> 
> This question is related with the last thread ( : NetBIOS adapter status
> request )
> 
> If I would get all the netbios name table from a remote pc, wich method
> should I use ?

Send a NetBIOS Node Status Query to the node.  That will return the list of
names which the remote node has registered.

> I see that FirstCalledName represent the Netbios Name of the computer
> (or perhaps the first registered, that's the same (I guess...) )

It should be the server's NetBIOS name (base name) with a suffix byte of
0x20.

> I try to use the NextCalledName and I got
> 
> *SMBSERVER        the first time
> <NetbiosName>     the second call
> null              following calls.

Looking at Mike's code, here's what's happening:
  - If the name is a DNS name, he tries the first label.  That'll be
    firstCalledName().
  - If nextCalledName() is called, it will return "*SMBSERVER" the first
    time through, and if that doesn't work it will try doing a Node Status
    query to find the correct NetBIOS name.
  - If all else has failed, it will return NULL.

> Is there a way to reproduce the NBTSTAT information and being able to
> know all the name registered with that adapter and their functions
> (workstation name, server, messenger, domain name, users logged on,....)
> ?

If you send another Node Status (NBTSTAT) query then you'll get an
up-to-date listing from the remote node.  The meaning of the name is given
in the last byte (the suffix byte).  See the chart here:
http://ubiqx.org/cifs/Appendix-C.html

> Thanks in advance
> 
> Andrea

Hope it helps.

Chris -)-----

-- 
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org


More information about the jcifs mailing list