Trace of NetBIOS Port Activity

This is a detailed look at the broadcast NetBIOS traffic to UDP ports 137 and 138 over a period of 35 minutes on a small routed subnet. This documents the fact that Windows machines do in fact advirtise themselves via subnet broadcasts, rather than directed datagrams as described in the NT Resource Kit's Networking book.

Host Announcements

Hosts on the local wire that have shares available broadcast their host announcements.

Frequency: Approximately every 15 minutes.

22:56:25.555397 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
23:05:22.645397 128.2.6.66.138 > 128.2.255.255.138: NBT UDP PACKET(138)
23:11:25.105397 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
23:17:24.245397 128.2.6.66.138 > 128.2.255.255.138: NBT UDP PACKET(138)
23:26:24.735397 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
23:29:26.025397 128.2.6.66.138 > 128.2.255.255.138: NBT UDP PACKET(138)

Workgroup Announcements

Local Browse Masters broadcast what workgroups they know, so that others know what workgroups are out there:

Frequency: Approximately every 15 minutes.

22:58:24.875397 128.2.6.95.138 > 128.2.6.255.138: NBT UDP PACKET(138)
23:13:24.595397 128.2.6.95.138 > 128.2.6.255.138: NBT UDP PACKET(138)
23:28:24.245397 128.2.6.95.138 > 128.2.6.255.138: NBT UDP PACKET(138)

Local Master Announcements

Local Browse Masters then announce that they area available for the specified workgroups:

Frequency: Approximately every 12 minutes.

23:02:42.375397 128.2.6.95.138 > 128.2.6.255.138: NBT UDP PACKET(138)
23:14:40.975397 128.2.6.95.138 > 128.2.6.255.138: NBT UDP PACKET(138)
23:26:41.095397 128.2.6.95.138 > 128.2.6.255.138: NBT UDP PACKET(138)

WINS Resolution

The Win95 machine resolves the NetBIOS name of the Local Master Browser, after which it downloads the workgroups browse list. (This download occurs on another port, so it does not appear here.)

The frequency of these downloads may be directly related to the frequency of the local master announcements.

23:03:38.245397 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
23:03:38.255397 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)

23:15:39.135397 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
23:15:39.145397 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)

23:27:39.995397 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
23:27:40.005397 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)

Other

I stopped the network monitor, and that resulted in a netbios name release:

23:30:27.205397 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
23:30:27.285397 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)

Raw Data: nb-ports.tcpdump
Verbose Decoded Data: nb-ports.verbose.txt

Ryan Troll

Last modified: Tue Sep 8 10:42:43 EDT