How to interpret output of nmblookup -A

Each line corresponds to a name that the node has claimed using NetBIOS.

• The first field is the name itself.

• The second field is the suffix, or the 16th byte of the name, in hexadecimal. It shows the type of this name – 0x00 is "Workstation" (a regular NetBIOS node), 0x20 is "Server" (a node running a SMB file server), 0x01 is "Browser" (a node that keeps track of all NetBIOS names on the network), 0x03 is "Messenger" (a node or a user that can receive popup notifications), and so on, and so on.

• The third field is unknown to me yet...

• The fourth field marks this line as a "group" name – one that multiple node (AFAIK up to 16) may claim at once. In this case, a group name of type 0x00 (Workstation) denotes the workgroup that the node is in (which again has to do with network browsing).

• The fifth field is the node type (though I don't know why it is a property of each name – AFAIK, it is a setting of the node itself…) – B-nodes use NetBIOS datagrams which are broadcast in the LAN; P-nodes (point-to-point) use a central WINS server; M-nodes (mixed) first try broadcast then WINS when resolving names; H-nodes (hybrid), a later improvement over M-node, first try WINS then broadcast (this is a little faster).

• I am not sure of the last two fields. It's likely that <ACTIVE> means that the node successfully registered this name; if it ended up a duplicate, it would still be listed in response to a status query, but it would have a different marker. Similarly, <PERMANENT> is likely to mean that the name doesn't expire, or something.

Further reading:

• The chapter "Browse Service" from "Implementing CIFS" describes network browsing and name types in detail.

Edits welcome.

Author by

MariusMatutiae

Updated on September 18, 2022