Using the nbtstat Utility

Using the nbtstat Utility
You’ll remember from the last chapter that NetBIOS associates names with workstations. But NetBIOS is only an upper-layer interface and requires a transport protocol. In many cases, TCP/

IP is used. You use the nbtstat utility to do the following:

• Track NetBIOS over TCP/IP statistics
• Show the details of incoming and outgoing NetBIOS over TCP/IP connections
• Resolve NetBIOS names

Because NetBIOS name resolution is primarily a Windows network issue, the nbtstat command is available only in Windows-based operating systems.

To display a basic description of nbtstat and its associated options, type nbtstat at the command line. You’ll use these options to configure the display of information about NetBIOS over TCP/IP hosts. Here are some of the switches you can use:

–a                 –A

–c                   –n

–r                   –R

–S                   –s

TIP

All nbtstat switches are case sensitive. Generally speaking, lowercase switches deal with NetBIOS names of hosts, and uppercase switches deal with the TCP/IP addresses of hosts.

Read More

The –p Switch

The –p Switch
Like the –n switch, the –p switch is a modifier. Typically used with the –s switch (discussed earlier),
it specifies which protocol statistics to list in the output (IP, TCP, UDP, or ICMP). For example, if you want to view only ICMP statistics, you use the –p switch like so:
netstat –s –p ICMP

The netstat utility then displays the ICMP statistics instead of the gamut of TCP/IP statistics that the –s switch normally produces.

Real World Scenario ......
Uses for netstat

You might be saying to yourself, “OK. Fine…I can use lots of cool switches with netstat, but what is it good for, really?” I’m always finding uses for netstat. One time, I found a particularly nasty worm on my PC using netstat. Being the geek that I am, I just happened to run netstat for giggles one day and noticed a very large number of outbound connections to various places on the Internet. It was sending out SYN packets to a large number of hosts (an indication that my computer was involved—unknowingly—in a large-scale denial of service attack). Upon furtherexamination, I noticed that this activity would start shortly after bootup.

I tried running netstat after bootup and noticed that the first outbound connection was to TCP port 6667 to some IRC server I’d never heard of (I didn’t even have an IRC client on my machine at the time). It was particularly nasty to try to get rid of while active, so I turned off port 6667 on my firewall. That prevented the initial connection to the IRC server (and, as I found out later,prevented the worm from getting its instructions from the IRC server) and I was then able to remove it. I would have never found out that this worm was working without netstat. My antivirus program even missed it.

Read More

The –n Switch

The –n Switch
The -n switch is a modifier for the other switches. When used with other switches, it reverses the natural tendency of netstat to use names instead of network addresses. In other words,
when you use the –n switch, the output always displays network addresses instead of their associated network names. Following is output from the netstat command and then the netstat -n command, showing the same information but with IP addresses instead of names:

Read More