NetBIOS – CompTIA Security+ SY0-401: 1.4

The NetBIOS family of protocols has been used for years for many different purposes. In this video, you’ll learn about various forms of NetBIOS and how they are used in today’s technologies.

<< Previous Video: Storage Area NetworkingNext: Common Network Ports >>

NetBIOS stands for Network Basic Input/Output System and it’s a technology that has been around for a very, very long time. Technically, NetBIOS is an API, it’s an application programming interface. It’s a structure that developers can use to create applications that will use the standard way of communicating across the network.

It is something that we’ve seen implemented in the Windows operating system, most recently using something called NetBEUI, that stands for NetBIOS Enhanced User Interface. Sometimes, you’ll see this referred to as NetBIOS Frames or NBF. This was a type of communication that Windows used to talk between systems but it was used prior to Windows XP and it was not routable. If you wanted to use this technology you had to all be on the same subnet and, obviously with our very distributed and diverse networks, being able to communicate on a single subnet was very limiting. Microsoft updated this communication mechanism to use NetBIOS over TCP/IP. You’ll see this also referred to as NBT. This is what you will see if you look at how Windows is communicating between devices because it’s putting the NetBIOS information within a TCP/IP packet. Because of that we’re able to then route outside of our subnet if we need to.

You’ll see different protocols used for NetBIOS. You’ll see the name service being used on UDP/137 and occasionally on TCP port 137. There’s also a datagram service, which allows Windows to transfer information over a connectionless communication and, as that implies, it’s using UDP over port 138 to do that. There’s also a connection-based mechanism that Windows can use to transfer information and it is a Session Service, where you are setting up a session between devices. This is then going to use TCP over port 139 to accomplish that.

If you wanted to see some of this NetBIOS transferring across the network, you could bring up a Wireshark session and just start gathering information and if there is a Windows device on the network you will almost certainly be able to capture some information very shortly. In fact, I did this very thing 36 seconds into this trace file. I gathered a lot of NetBIOS communication between Windows systems and I’ve highlighted this single packet here which shows this browser protocol within NetBIOS that’s communicating. There’s a host announcement of the host Prometheus on my network. And you can see that it is a TCP/IP packet. You can see that it’s running on this ethernet connection. The source IP connection is and it’s communicating out as a broadcast to the network over This particular packet is using the user datagram protocol, or UDP, UDP port 138, so we know that this is going to be a connectionless communication and we can see that it is indeed using the NetBIOS datagram service because that is the datagram service that runs over UDP port 138. And as we look at the decode we can even see that this is a host announcing itself to the network. This particular host name is Prometheus and it happens to be in a workgroup called SGC.

There’s a number of different types of communications that NetBIOS uses in Windows to transfer files, to announce itself to other machines, to be able to communicate out on work groups and domains, and it uses this NetBIOS protocol to be able to accomplish all of that, all of it running on TCP/IP.