Solved

Interpreting the output of NBTSTAT

Posted on 1998-03-29
8
2,837 Views
Last Modified: 2013-12-23
I am looking for more information on the poutput of nbtstat.

I have the following output from a machine which is having some trouble "talking" to the PDC.

       NetBIOS Remote Machine Name Table

   Name               Type         Status
---------------------------------------------
MAC Address = 00-00-C1-10-B8-BB

NTBACKUP       <00>  UNIQUE      Conflict
NTBACKUP       <20>  UNIQUE      Registered
QCAT           <00>  GROUP       Registered
QCAT           <1C>  GROUP       Registered
NEXUS          <00>  GROUP       Registered
QCAT           <1E>  GROUP       Registered
NTBACKUP       <03>  UNIQUE      Registered
NTBACKUP       <01>  UNIQUE      Conflict

What does the number in the < > mean (or should I say what is the significance?) as I am aware that ther are the last byte of the 16 byte NetBIOS name or some such thing.  Is the "Conflict" message a problem and how do I solve it.  There IS NOT any other machine on the network with the same MAC address OR with the same IP, so please don't go down that path, we've already followed that one.
0
Comment
Question by:tvanlint
8 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 1571662
The column headings generated by the Nbtstat utility have the following meanings.

Input - Number of bytes received.

Output - Number of bytes sent.

In/Out - Whether the connection is from the computer (outbound) or from another system to the local computer (inbound).

Life - The remaining time that a name table cache entry will live before it is purged.

Local Name - The local NetBIOS name associated with the connection.

Remote Host - The name or IP address associated with the remote computer.

Type - Refers to the type of name. A name can either be a unique name or a group name.

<03> - Each NetBIOS name is 16 characters long. This last byte often has special significance since the same name may be present several times on a computer differing only in the last byte. This notation is simply the last byte converted to hexadecimal. <20> is a space in ASCII for example.

State - The state of NetBIOS connections.

Please refer NT's help for more information.
0
 
LVL 1

Author Comment

by:tvanlint
ID: 1571663
Gee, didn't I say "I am aware that ther are the last byte of the 16 byte NetBIOS name or some such thing" (as I got exactly what was echoed by bbao via the online help.) As I said in the next section I am looking for "Is the "Conflict" message a problem and how do I solve it.  There IS NOT any other machine on the network with the same MAC address OR with the same IP, so please don't go down that path, we've already followed that one." as I am having troubles with the machine that is reporting a "conflict"

0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 1571664
Do you have another computer called Ntbackup on the same network? For exampe, a Netware server?
0
 
LVL 1

Author Comment

by:tvanlint
ID: 1571665
I have already said "There IS NOT any other machine on the network with the same MAC address OR with the same IP" and I though having said that it would be implicit that ther eis also no other machine on the network with the same NetBIOS name or Internet node name.  If you cannot answer my question bbao (that is what the significance of the conflict message is and how the NBTSTAT output should be interpretted, then I suggest you cease responding!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Expert Comment

by:moellert
ID: 1571666
Here is a small answer from MS I found in the KB. Interesting is the last sentence ( I marked it with several !!! ).


On your Windows NT computer, you may receive the following event log
message in Event Viewer:
 
   Event ID: 4320
   Source: NetBT
 
CAUSE
=====
 
This message is caused when another computer sends a name release message
to your computer. The most likely reason for this is that a duplicate name
has been detected on the network.
 
MORE INFORMATION
================
 
Use the NBTSTAT -N command to see the name of the computer in the conflict
state. The IP address of the node that sent the message is in the data
returned by this command. The following example shows what the data may
look like in one of these events:
 
   0000:   00   00   04   00   01   00   54   00
   0008:   00   00   00   00   e0   10   00   c0
   0010:   00   00   00   00   00   00   00   00
   0018:   00   00   00   00   00   00   00   00
   0020:   00   00   00   00   00   00   00   00
   0028:   e7   1a   65   16
 
Offset 28 is the IP address of the computer requesting name release. To
determine the decimal IP address, invert the four hexadecimal numbers and
convert them to decimal numbers separated by periods. Using this method,
the IP address of E7 1A 65 16 becomes 22.101.26.231.
 
The status column of the NBTSTAT output for the computer in conflict should
contain either "Conflict" or "Released."
 
You can run the NBTSTAT -A command with the IP address to get the computer
name.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!! NOTE: This error message is generated in many cases due to !!!!! normal circumstances, and should not be cause for alarm.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 1571667
tvanlint, I suggest you cease responding too before you carefully read my post! I mean the computer name, not any MAC address or IP address!

In addition, courtesy is a requirement at such a site for discussing technical problem, and the experts here are not dedicated to earn points, are to do help!

BTW, I would do any responding as I like. :-)))
0
 

Expert Comment

by:beacom
ID: 1571668
I don't know if this is any help.....
<00> is the registered name on the WINS client of the Workstation Service
<03> is the registered name on the WINS client of the Messenger Service
<20> is the registered name on the WINS client of the Server Service

0
 
LVL 2

Accepted Solution

by:
tonp earned 200 total points
ID: 1571669
First, here's a list of what the numbers mean:

Unique Names
<computername>[00h]      Workstation Service
<computername>[03h]      Messenger Service
<computername>[06h]      RAS Server Service
<computername>[1Fh]      NetDDE Service
<computername>[20h]      Server Service
<computername>[21h]      RAS Client Service
<computername>[BEh]      Network Monitor Agent
<computername>[BFh]      Network Monitor Application

<username>[03]              Messenger Service

<domain_name>[1Dh]      Master Browser
<domain_name>[1Bh]      Domain Master Browser

Group Names

<domain_name>[00h]      Domain Name
<domain_name>[1Ch]      Domain Controllers
<domain_name>[1Eh]      Browser Service Elections

If you see a conflict for a certain name or service, it means that the NetBIOS name registration has detected a different IP number with the same NetBIOS name. This can have various causes. For example, normally, NBT handles multihomed machines as a special case (obviously they have multiple IP numbers for the same netbios name). If this specific machine is wrongly configured (for example with a special networking emulating device that is not properly recognised as a multihomed machine) it could lead to this error.

Secondly, since the (conflicting) number 01h (UNIQUE) is not documented, this could also be the root of the problem. See if some other machines have the same number listed. If not, this is probably the cause of the conflict. You should then reinstal your network protocols, to make sure this number disappears.

Ton


I would suggest that you switch of this specific machine and try to determine (with nbtstat -a) if there's a different machineon the net with teh same netbios name.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now