Netbios Over TCP/IP – Yea Or Nay

Background

Had an insomnia night last week.  And, so took to the laptop and wanted to troubleshoot an issue.

As part of that troubleshooting exercise I knew Network Traffic Pattern might be pertinent.

Wireshark

Network Traffic

Here is sample of some of what I noticed through capturing Network Traffic.

Image

 

Explanation

Noticed a lot of Name Resolution Traffic.

Inclusive of protocols that line up with Network Resolution issues are DNS & NBNS.

DNS stands for Domain Name Server and NBNS Stand for Netbios Name Server.

 

Netbios Name Server ( NBNS )

Though running Windows. it is no longer a Netbeui World.

Strictly TCP/IP.

Review Configuration

Let us review our Network Configuration on specific adapters.

As I am currently on wireless, let us focus on just the Wireless Adapter.

GUI

Here is how to do so through the GUI.

Wireless Network Connection 2

Advanced TCP/IP Settings – WINS
Image

 

Explanation

Currently, we are set to receive NetBIOS Settings from the DHCP Server; that appears to be the default MS Windows Setting.

 

Command Line Shell

And, here are a couple of options to do so via the Command Line Shell.

ipconfig

Script

ipconfig /all

Output

Explanation

NetBIOS over Tcpip is Enabled

WMI – Query – Win32_NetworkAdapterConfiguration

Script


set _hostname="."

set _propList="DHCP*,IPAddress,DefaultIPGateway,DNSDomainSuffixSearchOrder,DNSEnabledForWINSResolution,DNSServerSearchOrder,TcpipNetbiosOptions"

set _command="Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName %_hostname% | Select-Object -Property %_propList% "

powershell -Command %_command% 

Output

Explanation

  1. TcpipNetbiosOptions
    • 0
      • Default Setting; and we remember default settings is to get the setting from the DHCP Server

 

WMI – Set – Win32_NetworkAdapterConfiguration

Let us use wmic and pass along the nicconfig verb; calling the SetTcpipNetbios method and sending along argument 2.

Remember 2 mean Netbeui disabled.

Please pass along the right index, as well.

Each NIC Card has an index and it is displayed when one queries the Network Configuration.

Script

REM - Use NetBIOS setting from the DHCP server
set _netBiosSettingDHCPServer=0

REM - Enable NetBIOS over TCP/IP
set _netbiosSettingEnabled=1    

REM - Disable NetBIOS over TCP/IP
set _netbiosSettingDisabled=2  

set _hostname="."
set _index=15

wmic nicconfig where index=%_index% call SetTcpipNetbios %_netbiosSettingEnabled%

Image

 

Confirmed Change

GUI
Image

Console
Image – ipconfig /all

Wireshark – Take 2

Network Traffic

Went back to Wireshark and took another trace.

Image

Explanation

Noticed a slew of NBNS Traffic targeted at our DNS Server.

BTW, our local DNS Server are set for “Recursion Desired“.

That way they can forward unresolved Name Resolution traffic to our ISP…Which will be most of the requests we get.

 

Remediation

Connected to each of our internal DNS Servers and disabled Netbeui Name Resolution on the NIC Cards, as well.

 

Windows DHCP

If we had a Windows DHCP Server, would have disabled that option on the DHCP Scope, as well.

 

Wireless Access Point ( WAP )

I doubt that our Wireless Access Point supports DHCP and so will skip that step for now.

 

References

  1. Client Configuration
    • Script
      • HOW TO DISABLE NETBIOS VIA COMMAND LINE ON WINDOWS
        Link
      • Configuring NetBIOS over TCP/IP
        Link
    • Tim Dunn
      • Tim Dunn – Is NetBIOS over TCP/IP Enabled?
        Posted On :- 2011-June-29th
        Link
    • Scripting Guy
      • Use PowerShell to Identify Your Real Network Adapter
        Posted On :- 2011-Oct-7th
        Link
    • T.dejesus
      • Simple powershell help
        Posted On :- 2014-April-14th
        Link
    • Dan Stolts, ITProGuru
      • Using PowerShell to Get or Set NetworkAdapterConfiguration-View and Change Network Settings Including DHCP, DNS, IP Address and More (Dynamic AND Static) Step-By-Step
        Link
    • Q/A
      • Slow Cross-Domain login to StoreFront site
        Link
    • Visual
      • Jim Boyce
        • Get IT Done: Improve network performance by disabling NetBIOS over TCP/IP
          Published On : -2002-Nov-5th
          Link
  2. Server Configuration
    • How to disable NetBIOS over TCP/IP by using DHCP server options
      Link

 

GlassWire on Windows 7

Background

The other Newtwork Monitoring tool that we found on the Net is GlassWire.

Unfortunately, it is not going to be much help for our Lab as the currently available versions does not support MS Windows 2003; and most of our Lab servers run that OS.

 

Download & Install

Downloaded GlassWire from here.

Though, can not install it on our Lab Servers, went ahead and installed it on my work laptop.

 

Usage

Eye Candy

The tool is a stunning eye candie.

It makes one forget the reason for installing it in the first place.

 

Usage

Day ( Monday April 3rd 2017)

Image

Usage_Day_20170403_0602PM (BrushedUp)

 

Explanation

Got off work @ 5 PM

  1. And, already ate up 1.3 GB of Network IO
    • 1.2 GB incoming
    • 143 MB outgoing
  2. Apps
    • Google Chrome (99% )
    • Remote Desktop
    • SQL Server
    • Reporting Sevices Service
  3. Hosts
    • where else by googlevideo.com ( better known as youtube)
  4. Traffic Type
    • HTTPS ( 90% )
    • HTTP ( 10% )

 

Week ( Monday March 27th to April 3rd 2017)

Image

Usage_Week_20170327_12AM__20170403_0621PM (Cropped Up)

 

Explanation

Between a week back and today, here is what our stats look like:

  1. And, already ate up 1.3 GB of Network IO
    • 5.9 GB incoming
    • 532 MB outgoing
  2. Apps
    • Google Chrome ( 72% )
    • Mozilla Firefox ( 25% )
    • SQL Server Windows NT
    • SSMS
    • Reporting Sevices Service
  3. Hosts
    • vimeovideo
    • where else by googlevideo.com ( better known as youtube)
    • akamai
  4. Traffic Type
    • HTTPS ( 77% )
    • HTTP ( 10% )
    • Other ( 8.5% )
    • SQL ( 3% )

 

Summary

GlassWire is very capable and it is easily accessible.

NetBalancer – v5.2 – Windows Server 2003

Background

Confessionally, I am stuck on MS Windows 2003 on my Lab computers.

I like it and it works well.

Just like that other guy who stayed on Windows XP.

 

ISP

Paying Me

Either way my ISP is being letting me know that I only have 2 months grace.

And, after this last month, they will be charging me every time I go over my allotted Network.

 

ISP Help

Tried to get them to help me to locate which server, what type of traffic, and which hosts I was talking to.

But, 3rd level support, kept asking me to just go up to next tier.

And, also less I forget, wanted me to get off my router and get on theirs.

 

Tools for Computer Network Monitoring

MS Windows 2008 comes with a nice Resource Monitor tool that allows one to monitor Network Usage at the individual process level.

Again, unfortunately, MS Windows 2003 does not come with Resource Monitor.

 

Networking Monitoring for Windows 2003

Thankfully found NetBalancer by SeriousBit.

 

 

NetBalancer

Download List

Here is the download list for NetBalancer from here.

 

Version

v5.2.1

Unfortunately, for MS Windows 2003, I have to use v5.2.1.

 

Downloaded & Installed

Downloaded & Installed it.

 

Usage

 

DNS

System Traffic

Image

Explanation
  1. Please review Current, Average, Maximum, Total
    • Broken down by Download & Upload
  2. Process Name
    • svchost.exe

 

Process Info

Image

 

Explanation
  1. Name : dns.exe
  2. Version :- 5.2.3790.4957 (srv03_sp2_gdr)
  3. File Creation Time :- 1/30/2012 4:39:57 AM
  4. Company :- Microsoft Corporation
  5. Started at : 4/2/2017 9:00:11 PM
  6. Parent :- services.exe ( 488 )

Connections

Image

Explanation
  1. TCP
    • We are listening on one of the Ports
  2. UDP
    • We have several UDP ports are just waiting to be used

 

TroubleShooting

Stats

Count Number of Ports assigned to DNS

Code

netstat -anb | find /I "dns.exe"  /c


netstat -anb | find /I "dns.exe"  /c

Output

Configuration

How many DNS Ports are we configured for

Code

dnscmd /Info /SocketPoolSize

Output

 

Summary

It does not seem that the DNS Server is the source of our network hog.