Provided by: nbtscan_1.5.1-7_amd64 bug


       nbtscan -- program for scanning networks for NetBIOS name information


       nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q]
               [-s separator] [-h] [-m retransmits] [-f filename | target]


       NBTscan  is  a  program  for  scanning  IP networks for NetBIOS name information. It sends
       NetBIOS status query to each address in supplied range and lists received  information  in
       human  readable  form. For each responded host it lists IP address, NetBIOS computer name,
       logged-in user name and MAC address (such as Ethernet).

       NBTscan produces a report like that:

           IP address       NetBIOS Name     Server    User             MAC address
       MYCOMPUTER                 JDOE             00-a0-c9-12-34-56
       WIN98COMP        <server>  RROE             00-a0-c9-78-90-00
     DPTSERVER        <server>  ADMINISTRATOR    08-00-09-12-34-56

       First column lists IP address of responded host. Second column  is  computer  name.  Third
       column  indicates  if  this  computer shares or is able to share files or printers. For NT
       machine it means that Server Service is running on this computer.  For Windows 95 it means
       that  "I want to be able to give others access to my files" or "I want to be able to allow
       others to print on my printer(s)" checkbox is ticked (in  Control  Panel/Network/File  and
       Print  Sharing).  Most  often it means that this computer shares files. Third column shows
       user name. If no one is logged on from this computer it is same  as  computer  name.  Last
       column shows adapter MAC address.

       If  run  with -v switch NBTscan lists whole NetBIOS name table for each responded address.
       The output looks like that:

           NetBIOS Name Table for Host

           Name             Service          Type
           DPTSERVER        <00>             UNIQUE
           DPTSERVER        <20>             UNIQUE
           DEPARTMENT       <00>             GROUP
           DEPARTMENT       <1c>             GROUP
           DEPARTMENT       <1b>             UNIQUE
           DEPARTMENT       <1e>             GROUP
           DPTSERVER        <03>             UNIQUE
           DEPARTMENT       <1d>             UNIQUE
           ??__MSBROWSE__?  <01>             GROUP
           INet~Services    <1c>             GROUP
           IS~DPTSERVER     <00>             UNIQUE
           DPTSERVER        <01>             UNIQUE

           Adapter address: 00-a0-c9-12-34-56


       A summary of options is included below.

       -v     Verbose output. Print all names received from each host.

       -d     Dump packets. Print whole packet contents.  Cannot  be  used  with  -v,  -s  or  -h

       -e     Format output in /etc/hosts format.

       -l     Format output in lmhosts format.

       -t <timeout>
              Wait timeout seconds for response. Default 1.

       -b <bandwidth>
              Output   throttling.  Slow  down output so that it uses no more that bandwidth bps.
              Useful on slow links, so that outgoing queries don't get dropped.

       -r     Use local port 137 for scans. Win95 boxes respond to this only. You need to be root
              to use this option.

       -q     Suppress banners and error messages.

       -s <separator>
              Script-friendly output. Don't print column and record headers, separate fields with

       -h     Print human-readable names for services. Can only be used with -v option.

       -m <retransmits>
              Number of retransmits. Default 0.

       -f <filename>
              Take IP addresses to scan from file "filename"

       target NBTscan is a command-line tool. You have to  supply  at  least  one  argument,  the
              address range, in one of three forms:

                     Single IP in dotted-decimal notation. Example:

                     Net address and subnet mask. Example:

                     Address  range.  Example: This will scan all addresses from


       Scans the whole C-class network:

           nbtscan -r

       Scans a range from to


       Scans C-class network. Prints results in  script-friendly  format  using  colon  as  field

           nbtscan -v -s :

       The last command produces output like that:


       Scans IP addresses specified in file iplist:

           nbtscan -f iplist


       NetBIOS  Suffix,  aka  NetBIOS  End  Character  (endchar),  indicates service type for the
       registered name. The most known codes are listed below. (U = Unique Name, G = Group Name)

           Name                Number(h)  Type  Usage

           <computername>         00       U    Workstation Service
           <computername>         01       U    Messenger Service
           <\--__MSBROWSE__>      01       G    Master Browser
           <computername>         03       U    Messenger Service
           <computername>         06       U    RAS Server Service
           <computername>         1F       U    NetDDE Service
           <computername>         20       U    File Server Service
           <computername>         21       U    RAS Client Service
           <computername>         22       U    Exchange Interchange(MSMail Connector)
           <computername>         23       U    Exchange Store
           <computername>         24       U    Exchange Directory
           <computername>         30       U    Modem Sharing Server Service
           <computername>         31       U    Modem Sharing Client Service
           <computername>         43       U    SMS Clients Remote Control
           <computername>         44       U    SMS Administrators Remote Control Tool
           <computername>         45       U    SMS Clients Remote Chat
           <computername>         46       U    SMS Clients Remote Transfer
           <computername>         87       U    Microsoft Exchange MTA
           <computername>         6A       U    Microsoft Exchange IMC
           <computername>         BE       U    Network Monitor Agent
           <computername>         BF       U    Network Monitor Application
           <username>             03       U    Messenger Service
           <domain>               00       G    Domain Name
           <domain>               1B       U    Domain Master Browser
           <domain>               1C       G    Domain Controllers
           <domain>               1D       U    Master Browser
           <domain>               1E       G    Browser Service Elections
           <INet~Services>        1C       G    IIS
           <IS~computer name>     00       U    IIS


       1.  NBTscan lists my Windows boxes just fine but does not list my Unixes or routers. Why?

       R: That is the way it is supposed to work. NBTscan uses NetBIOS for scanning  and  NetBIOS
       is only implemented by Windows (and some software on Unix such as Samba).

       2.  Why do I get "Connection reset by peer" errors on Windows 2000?

       R:  NBTscan  uses  port  137 UDP for sending queries. If the port is closed on destination
       host destination will reply with ICMP "Port unreachable" message.  Most  operating  system
       will  ignore this message. Windows 2000 reports it to the application as "Connection reset
       by peer" error. Just ignore it.

       3.  Why NBTscan doesn't scan for shares? Are you going to add share scanning to NBTscan?

       R: No. NBTscan uses UDP for what it does. That makes it very fast. Share scanning requires
       TCP.  For  one  thing,  it  will  make nbtscan more slow. Also adding share scanning means
       adding a lot of new code to nbtscan. There is a lot of  good  share  scanners  around,  so
       there is no reason to duplicate that work.

       4.  Why do I get 00-00-00-00-00-00 instead of MAC address when I scan a Samba box?

       R:  Because  that's what Samba send in response to the query. Nbtscan just prints out what
       it gets.


       NBTscan  was  created  by  Andrew  Tridgell  and   Alla   Bezroutchko   <,>.

       This  manual  page  was  written  for  the first time by Ryszard Lach <> and
       rewritten, from scratch, by Joao Eriberto Mota Filho <> for the  Debian
       GNU/Linux system (but may be used by others).