Visualize Netbios WINS requests per client?


#1

These parameters essentially determine the image of your conventional “network environment”. For this purpose, “NetBIOS over TCP / IP” required - Do not you think? - Then turn off but please times “NetBIOS over TCP / IP” and see the contents of your “network environment” on.

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ NetBT \ Parameters

Remark on older operating systems:
Older operating systems are ignoring parameter able. So seems NT4 (workstation) as did not respond to the Name Server Query Count parameters. The default value is 3. Changing this example, 1, NT4 nevertheless makes 3 request cycles. BcastNameQueryCount contrast, is accepted without hesitation. Higher operating system versions do not show this behavior in the name of service parameters.

Standard values:
BcastQueryTimeout: 750 (milliseconds)
BcastNameQueryCount: 3
NameSrvQueryTimeout: 1500 (milliseconds)
NameSrvQueryCount: 3

How is the request behavior of a WINS client; Node Type: 8?

A resolution is complete when it is “successful” or Timeout`s are “unsuccessful” expired with the result.
How long something takes in case of non-resolution? First, a WINS server request, after three broadcast requests to a desired name. If things go well, the customer places the requests in a timely manner from succession.
The three-time output of the request on the broadcast increases the chance that it will be “heard” by another device and this responds.

Case A: The WINS server is configured and is fast response.
The times from NameSrvQueryTimeout is negligible -
The determining factor will BcastQueryTimeout (between 750 ms - 2250 ms) per search operation.

Case B: The WINS server is configured and can not respond positively.
Now add yet added the times from NameSrvQueryTimeout to BcastQueryTimeout.

Is it possible to visualize Wins requests over time?


#2

Puschmann, to your question

Is it possible to visualize Wins requests over time?

According to this resource, WINS uses a unicast form of the NetBIOS Name Service (NBNS) protocol. We don’t provide built-in analysis of NBNS, however with our Universal Payload Analysis (UPA) feature and the relevant RFC for the protocol spec, you could likely parse out the elements of WINS traffic that are interesting to you and record them as metrics in ExtraHop.


#3

Hello @puschmann

If you don’t need to strictly call out a NBNS (or WINS) request/response (which would require Layer-7 parsing as @shaundavid notes), and just want to know “who is talking WINS”, you can dive into Networks and look at L7 Protocols > Details.

Filtering for 137 will turn up any UDP or TCP 137 that is present for the time period selected (“last 30 minutes” or some other).

Clicking udp:137 would give you the list of systems sending/receiving NBNS/WINS traffic.

Hope this Helps!