Solved

Netbios-NS packet capture

Posted on 2011-02-16
6
1,449 Views
Last Modified: 2012-05-11
I am using Wireshark to capture network traffic from an Windows XP workstation that makes an HTTPS conection to a remote host.   In the packet capture I can see Netbios name query broadcasts to the remote host.  I was hoping the packet capture would also show me what name the query was being performed against but the packet just shows zeros.   Is there a way for me to determine what name was queried?

Capture.PNG
0
Comment
Question by:AManoux
  • 4
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
Sommerblink earned 250 total points
ID: 34914103
Well.

The fact that you see NetBIOS queries going from the client to the server is telling me that you have a DNS problem.

In the real-world (eg: going to www.google.com, etc), you do not rely on NetBIOS for any name resolution.

Typically, when Windows (especially any version of windows which is still actively supported by Microsoft) resorts to NetBIOS for name resolution... it means that your client has no other way to resolve the name. (Please see http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c76296fd-61c9-4079-a0bb-582bca4a846f, chapter 7)

So, besides the fact that you are seeing a NetBIOS packet while attempting to go to a website, what else is wrong?
0
 
LVL 1

Author Comment

by:AManoux
ID: 34918929
Thanks Sommerblink.
I agree, I have a feeling there is a DNS issue going on but I don't know where to start troubleshooting without knowing what host name the XP machine is having trouble with.  If I can't find out the host name via the Netbios request, how else can I determine it?
Everything is functioning with the HTTPS request to the website and the website page being accessed.  It just hangs for 3-5 seconds while the Netbios name lookup occurs and then times out.  
0
 
LVL 1

Author Comment

by:AManoux
ID: 34919398
Attaching more of the Wireshark capture for added information
Capture2.PNG
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 12

Expert Comment

by:Sommerblink
ID: 34982812
Sorry for the delay.

Anyway, you can try to simply disable NetBIOS on that network card / network connection (if its VPN or whatnot).

Simply go to the network card / network connection, go to properties, IPv4 properties, then go to the advanced button.

On the WINS tab, place a radio dot next to Disable NetBIOS over TCP/IP.

Let see if this makes your queries go away without breaking anything else.

If it does, then at least you've got some new information.
0
 
LVL 1

Assisted Solution

by:AManoux
AManoux earned 0 total points
ID: 34982922
Thanks for getting back to me.  Sine my last post I belive I've discovered the cause of the issue.
Client SSL implementations often try to reverse DNS lookup the IP of the connection to try and validate the DN of the certificate presented during the SSL handshake.  Because there was no PTR DNS record for the hostname my client dropped back to using Netbios broadcasts. The lack of the PTR record didn't stop the SSL connection from occuring, it just slowed it down at the beginning while it tried to resolve the certificate host name.  
0
 
LVL 1

Author Closing Comment

by:AManoux
ID: 35015566
Solved my own issue
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question