...

no warranty,
expressed or implied...
relevant disclaimer
NetBIOS Name Sufx Bytes B.1
The table below classies NetBIOS names according to their base names, the
sufx byte, and their status as a unique or group name. The list was gathered
from sources scattered around the Internet, old documentation, and hear-say.
There are many references out there, and a good deal of variation among them.
As usual, what is available is at times both contradictory and incomplete. As a
result, the information presented below should be viewed with suspicion. If
you have updates or comments which you can share freely, please send them
to [email protected].
Service/Description Group/Unique Sufx Name Format
Workstation Service
Known as the NetBIOS Computer Name
or the Client Service Name because it is
typically sent as the CALLING NAME
(NBT source address) in NBT Session
requests.
unique <00> machine
B
Known NetBIOS Suffix
Values
439
Service/Description Group/Unique Sufx Name Format
Some of the documentation indicates that
the purpose of the Workstation Service is
to receive mailslot messages directed at the
node.
Messenger Service
Under some versions of Windows, this
name is registered by the Messenger
Service and used as the CALLING NAME
(NBT source address) when creating an
NBT session with the Messenger Service
on another node.
Not all implementations use this
name as the CALLING NAME when setting
up a Messenger Service session. Samba
uses the machine<00> name, and
Windows 2000 uses the machine<03>
name.
unique <01> machine
Messenger Service
This name is registered by the Messenger
Service, which is used to exchange
WinPopup messages. Like the Server
Service, the Messenger Service speaks SMB
protocol, but it uses a different set of SMB
messages and is a distinct service.
When creating an NBT session, the
Messenger Service client uses either the
username<03> or machine<03> name as
the CALLED NAME (NBT destination
address) in the NBT SESSION
REQUEST. The choice, of course, depends
upon whether the message is being sent to
a user or a node.
Some, but not all, implementations
of the Messenger Service client will also
use the clients machine<03> name as the
CALLING NAME in the NBT SESSION
REQUEST.
unique <03> machine
See also machine<01> and username<03>.
Part IV Appendices 440
Service/Description Group/Unique Sufx Name Format
RAS Server Service unique <06> machine
NetDDE Service unique <1F> machine
File Server Service
This, of course, is the Server Service,
which is the primary recipient of SMB
connections. SMB services may be offered
under any name, but this is the standard.
Clients expect that the Server Service
name will have a sufx value of 0x20.
unique <20> machine
RAS Client Service unique <21> machine
Microsoft Exchange unique <22> machine
Microsoft Exchange unique <23> machine
Microsoft Exchange unique <24> machine
Lotus Notes Server Service group <2B> machine
Modem Sharing Server Service unique <30> machine
Modem Sharing Client Service unique <31> machine
McAfee anit-virus
Several sites list this sufx as being used
by McAfee (or, incorrectly, McCaffee)
anti-virus software, but no further
documentation was found to support the
claim. The information may be out of
date.
unique <42> machine
SMS Client Remote Control unique <43> machine
SMS Administration Remote Control
Tool
unique <44> machine
SMS Client Chat unique <45> machine
SMS Client Remote Transfer unique <46> machine
DEC Pathworks TCP/IP Service for
Windows NT
unique <4C> machine
DEC Pathworks TCP/IP Service for
Windows NT
unique <52> machine
Microsoft Exchange unique <6A> machine
Microsoft Exchange unique <87> machine
441
B Known NetBIOS Suffix Values
Service/Description Group/Unique Sufx Name Format
Network Monitor Agent
Microsofts Network Monitor (NetMon)
is split into two pieces: the Agent and
the Client Application.
The agent does the work of
capturing packets, and the NetMon client
provides the user interface. The advantage
of this architecture is that agents and
clients may run on separate machines. A
single NetMon client can, therefore, have
access to the capture services of multiple
agents, scattered all around an intranet (or,
in theory, the Internet). Putting aside the
obvious security problems associated with
having live capture agents on networks,
this can be useful for testing and
monitoring purposes.
The Network Monitor Agent name is
composed of the machine name padded
with the value 0xBE (rather than the
normal space padding) and ending with a
sufx value of 0xBE. Microsofts
nbtstat utility has a strange habit of
displaying this special padding character
as a plus sign (+).
unique <BE> machine
Network Monitor Client Application
The Network Monitor Client Application
is the GUI front-end that is used to
control, lter, and display NetMon
captures.
The Network Monitor Client name
is composed of the machine name padded
with the value 0xBF (rather than the
normal space padding or the 0xBE value
used by the agent) and ending with a sufx
value of 0xBF. Microsofts nbtstat
unique <BF> machine
Part IV Appendices 442
Service/Description Group/Unique Sufx Name Format
utility still has a strange habit of displaying
this special padding character as a plus sign
(+).
The NetMon NetBIOS names may
not be in use any longer. Newer versions
of NetMon (starting with 2.0?) appear to
use a different mechanism for
communicating.
LAN Manager Browse Service
This name is a remnant of an older
Browse List distribution mechanism.
There are still references to the older
system in documents such as the
Leach/Naik Internet Draft for Browsing
(draft-leach-cifs-browser-spec-00.txt),
copies of which can be found by searching
the web.
group <00> workgroup
Domain Master Browser
This name identies the Domain Master
Browser (DMB).
A Samba server can behave as a
DMB without also being a Primary
Domain Controller (PDC). The existence
of a PDC promotes the Workgroup to the
status of an NT Domain, in which case
we write nt_domain<1B> instead of
workgroup<1B>. If there is a PDC, it must
provide the DMB service for the NT
Domain.
Domain Controllers (both Primary
and Backup) register the nt_domain<1C>
Internet Group name. Registration of the
nt_domain<1B> name effectively
distinguishes the PDC from all other DCs
in the domain. The NBNS will ensure that
the IP address of the (unique) <1B> name
is the rst in the list of IP addresses.
unique <1B> workgroup or
nt_domain
443
B Known NetBIOS Suffix Values
Service/Description Group/Unique Sufx Name Format
Domain Controller
Every domain controller in the NT
Domain will register this group name. The
NBNS (WINS server) is expected to store
all of the IP addresses associated with the
name, though it will report at most 25 IP
addresses in a NAME QUERY RESPONSE.
The rst entry in the list should be
the IP address of the Primary Domain
Controller (PDC). The rest of the IPs are
ordered most recent rst. This is atypical
handling for group names under WINS.
WINS (and, therefore, any NBNS which
is WINS-compatible) will usually report
only the limited broadcast address
(255.255.255.255) when queried for a
group name.
Internet
Group_
<1C> nt_domain
Local Master Browser
This name identies the Local Master
Browser (LMB, sometimes called simply
Master Browser) for a subnet. A WINS
server (and an NBNS which is
WINS-compatible) will accept registration
for <1D> unique names, but when
queried, will always reply with a
NEGATIVE NAME QUERY RESPONSE.
As a result, the LMB name is unique
within its local subnet only.
LAN unique <1D> workgroup
Browser Election Service
Every node that is capable of acting as a
browser registers this group name so that
it can listen for election announcements.
group <1E> workgroup
Part IV Appendices 444
Service/Description Group/Unique Sufx Name Format
Local Master Browser
This group name is registered by all Local
Master Browsers (LMBs). It allows LMBs
on a local LAN to nd one another in
order to exchange Browse Lists. This is
how Browse Lists for multiple
Workgroups and/or NT Domains are
combined.
\x01\x02__MSBROWSE__\x02
group <01>
Messenger Service
This name is used in the same way as
machine<03> described above. A client
opens an SMB connection to the
Messenger Service (just as would be done
with the Server Service) and uses SMB
protocol to send the body of the message.
The client that displays these messages is
known as WinPopup, and there are
dozens of third-party implementations out
there.
Some Microsoft documentation lists
this name as a group name, which would
be nice. Unfortunately, in practice the
name is a unique name which means that
a single user logged on to multiple
machines can only receive messages (sent
to the username) on one of those machines.
See also machine<01> and
machine<03>.
unique <03> username
User Dened
This name type was probably
introduced with Windows 2000. Group
names with a sufx byte value of 0x20
can be dened as Internet Group names,
which means that the NBNS must report
up to 25 IP addresses per name when
queried. The 0x20 Internet Group names
are used to identify groups of systems for
administrative purposes.
Internet
Group_
<20> internetgroup
445
B Known NetBIOS Suffix Values
Service/Description Group/Unique Sufx Name Format
Wildcard Name
The wildcard name is composed of an
asterisk (*) followed by fteen nulls (the
last of which is the sufx byte). This name
is never registered, so it is neither a unique
nor a group name. The wildcard name
may be used when sending NBT NAME
QUERY REQUEST and NODE STATUS
REQUEST messages.
unspecied <00> *
File Server Service
This name is never registered (it begins
with an asterisk and is, therefore, an illegal
name under NBT). Many
implementations, however, will accept it
as a valid CALLED NAME in an NBT
SESSION REQUEST message.
unspecied <20> *SMBSERVER
Internet Information Server
This name is registered by IIS servers and
handled as an Internet Group name. Note
that the name is in mixed UPPER/lower
case. It is, in fact, encoded that way, which
is a little awkward.
1
[Internet]
group
<1C> INet~Services
Internet Information Server
This name is formed by adding the prex
IS~ to the machine name, padding with
nuls, and using a sufx byte value of
0x00.
The handling of NetBIOS names by
IIS is a little... er... unusual. Nul bytes are
not supposed to be used as padding except
in the wildcard name. There is also a bug
unique <00> IS~machine
1. As of this writing, Sambas nmblookup tool always uppercases NetBIOS names, so it
cannot send a successful query for the INet~Services<1C> name. (Yes, when I get time
Ill try to x that. Maybe. Note that the libcifs nbtquery tool can handle mixed-case
NetBIOS names; see http://ubiqx.org/libcifs/.)
Part IV Appendices 446
Service/Description Group/Unique Sufx Name Format
(veried in testing against a set of
Windows 2000 systems running IIS)
which causes the sufx byte to be
overwritten if the name is longer than 15
bytes.
For example, adding IS~ to the
machine name AHOSETHIULLMAN
(13 bytes) would give
IS~AHOSETHIULLMAN, which is 16
bytes long. The correct thing to do is to
truncate the string and register the name
IS~AHOSETHIULLMA<00>. Instead,
the trailing N in the machine name
overwrites the sufx byte, giving
IS~AHOSETHIULLMA<4E> (the hex
value of N is 0x4E).
2
Lotus Notes group <2F> IRISMULTICAST
Lotus Notes group <33> IRISNAMESERVER
DCA IrmaLan Gateway Server Service group <20> Forte_$ND800ZA
Special Handling of NetBIOS Names in WINS B.2
The Windows Internet Name Service (WINS) is Microsofts implementation
of the NetBIOS Name Server (NBNS) described in the RFCs. WINS does
not match the RFC specications, however, and its behavior is somewhat
quirky. Known quirks are listed below.
2. I nally got to see this in the wild while trying to solve a browsing problem with Mike
Langhus at the University of Minnesota. There were several IIS servers on the subnet, and
roughly a third of them had names long enough to cause the sufx byte overwrite problem. I
do not know which versions of IIS are affected, but it does not appear as though it causes any
real trouble. Its more of a curiousity than a bug.
447
B Known NetBIOS Suffix Values
Unique names
Unique names are handled per the RFC specications with two exceptions:
multi-homed host names and the Domain Master Browser name.
Read on...
Multi-homed host names
Multi-homed hosts register unique names by sending a special
MULTI-HOMED NAME REGISTRATION REQUEST packet to the
NBNS. The procedure is described in Section 4.3.1.4 on page 81 of this
book. WINS servers (and WINS-compatible NBNS implementations)
keep track of the list of IP addresses registered by a multi-homed host,
and will report up to 25 IP addresses when queried for the multi-homed
host name.
Group names
By default, in reply to a NAME QUERY REQUEST for a group name,
WINS will send the limited broadcast address, 255.255.255.255. This is
clearly not what the RFC authors had in mind.
Internet Group, Special Group, and Domain Group names
There are a few things to be said about these:
Thing 1
The terms Internet Group and Special Group are used inter-
changeably in much of the available documentation.
Thing 2
Older references use the terms Internet Group and Special Group
when referring to group names with the <1C> sufx. More recent
sources add the term Domain Group specically for the
nt_domain<1C> names, and expand the use of the other terms to
include groups dened by adding a special static entry, with a sufx
value of <20>, to the WINS database.
3
3. It was difcult to nd more than supercial documentation regarding the <20> Internet
Group names, which suggests that the feature is not widely used. If you want to dig deeper,
search the web for information regarding the #SG and #DOM keywords used in the
LMHOSTS le.
Part IV Appendices 448
Thing 3
Internet (aka Special) and Domain Groups are dened by using the
#SG and #DOM keywords in the LMHOSTS le, or via WINS
conguration dialogs on Windows systems.
As with multi-homed host entries, the WINS server should keep
track of as many IP addresses per name as it can handle. When queried,
the POSITIVE NAME QUERY RESPONSE should list at most 25 IP
addresses per Internet Group name.
Local Master Browser
The LMB registers the workgroup<1D> unique name. A WINS server
will accept all such registrations, ignoring any conicts, and will reply
with a NEGATIVE NAME QUERY RESPONSE when queried for the
name. This behavior forces M and H nodes to search for the LMB on the
local IP subnet. If there is no LMB for the Workgroup on the local subnet,
then the client that sent the request may call for a browser election. P
nodes cannot talk to Local Master Browsers, so they communicate directly
with the Domain Master Browser (if there is one).
Domain Master Browser
The DMB registers the unique nt_domain<1B> name. The WINS server
will ensure that the IP address associated with the nt_domain<1B> name
is always the rst in the list of IPs associated with the nt_domain<1C>
Domain Group name.
449
B Known NetBIOS Suffix Values