Reducing NetBIOS noise in a 50-seat, 30-server organisation

networking netbios windows
7,000

Solution 1

If you don't have any applications that need it, just take down the WINS server and disable NetBIOS over TCP/IP completely, I'd say. Short names still work just fine in a DNS-only network by virtue of search suffixes.

If clients are set to the default NetBIOS setting (enabled except if DHCP says not to), then you can simply set the flag in the DHCP options to disable NetBIOS, under the Microsoft Windows 2000 Options vendor class - set an 0x2 under the 001 Microsoft Disable Netbios Option - see this MS KB for details.

Solution 2

In addition to what Shane posted in his answer, take care not to slay the wrong dragon. Yes, NetBIOS is chatty, but it's not neccessarily a problem that needs to be dealt with. Broadcast traffic, whether it be at layer 2 (ARP, Spanning Tree BPDU's, etc) or layer 3 (NetBIOS, etc) is a normal component of network traffic and communication. The key is to know whether or not the particular broadcast traffic you're focused on (ARP flooding, broadcast storm, multicast storm) is contributing to network issues (most likely congestion) which can manifest itself in duplicate ACK's, packet loss, TCP retransmits, TCP fast retransmits, etc.

My suggestion would be to run a packet capture on your switch (if the switch supports port mirroring/monitoring) with packet capture software that can give you a view of the percentage of traffic that is broadcast traffic as a whole and also what percentage of traffic is NetBIOS broadcast traffic. NetBIOS traffic that is not broadcast traffic (meaning it's unicast traffic) shouldn't present any more of a problem than any other unicast traffic.

I don't know of any hard numbers but if your percentage of broadcast traffic is above a few percent (not more than 5% probably) then you probably have network congestion that's manifesting itself in the symptoms I described above. At that point you should track down the cause of the congestion and resolve it.

One source of network congestion, for example, is heartbeat traffic related to load balancing or NIC teaming.

Share:
7,000

Related videos on Youtube

Ashley
Author by

Ashley

Updated on September 18, 2022

Comments

  • Ashley
    Ashley over 1 year

    We are a development shop where all 50-odd workstation computers run Windows 7 SP1 and most of our 20-30 servers are Server 2008 R2 or Server 2008 (there are a few scragglers still on Server 2003). We have a flat, single subnet environment where servers and workstations are in the same network. We have DNS servers with dynamic DNS registration enabled and currently we have WINS servers too. In performing some diagnostic Wireshark packet capturing on our network for an different issue, we've seen that there is quite a lot of NetBIOS broadcast noise on our network.

    We are looking to disable NetBIOS broadcast by changing the node type of our workstations (and possibly servers) to p-node (or peer only) where WINS will be used as the only name resolution method. We will most likely configure it via the 043 DHCP option to ensure that even non-domain joined clients participate on our network without broadcast. We considered using the Group Policy approach to roll-out the registry key, but this may have detrimental effects on our laptop users when offsite (such as on their home networks).

    Here are my questions:

    • will this cause issue with any of the few Windows Server 2003 servers we have left, or for any of our Windows 7 clients or other newer Windows servers?
    • Further to that, is it even advisable to prevent NetBIOS broadcast or should the noise just be ignored as a typical part of the network?
    • We've also considered disabling NetBIOS completely. However, the only way I know of doing so is to disable NetBIOS of TCP/IP. I assume this is the only NetBIOS method left in Windows 7? So disabling this on the NIC (or for the whole PC) disables NetBIOS completely?
    • Will disabling NetBIOS mean that the FQDN/long name (eg, companyname.tld) of the domain need to be used for logon purposes due to the short-name (eg, COMPANYNAME) no longer being available? (ie, [email protected] has to be used instead of COMPANYNAME\username) If this is the case, will Windows still show Logon to: COMPANYNAME or will it show Logon to: companyname.tld.

    In summary, we're after some guidance on what is common practice for organisations to do with NetBIOS communications these days and the experiences of others when making changes to NetBIOS network configuration similar to my topology.

    I've found the below topic which links to a few others, but I'm still not convinced. I'd like to know the steps people took to 'disabling' or limiting NetBIOS and any shortcomings or advantages of doing so.

    NetBIOS "free" network?

    Edit:

    As per questions; running Active Directory, functionality level 2008, prepped for 2008 R2, soon to be R2 functionality.

    And I received a decent "why" question, to which I said:

    I'm of the opinion that if it isn't needed, it shouldn't be on. Plus, there is a lot of noise on the network from broadcast resolutions - sure these packets are tiny, but I just was after some clarity on what others (perhaps in bigger organisations) have done regarding NetBIOS.

    • Admin
      Admin over 12 years
      That's a lot of words but none of them hint at just why you want to do this. Care to share you reason(s)?
    • Admin
      Admin over 12 years
      @SpacemanSpiff: Yeah definite Active Directory - I must've accidentally deleted the part where I said I had a 2008 forest and domain functionality level.
    • Admin
      Admin over 12 years
      @JohnGardeniers I'm of the opinion that if it isn't needed, it shouldn't be on. Plus, there is a lot of noise on the network from broadcast resolutions - sure these packets are tiny, but I just was after some clarity on what others (perhaps in bigger organisations) have done regarding NetBIOS.
  • ravi yarlagadda
    ravi yarlagadda over 12 years
    For sure - a lot of scroll in a Wireshark capture does not necessarily mean a lot of traffic.
  • joeqwerty
    joeqwerty over 12 years
    I generally use Wireshark (or Microsoft Network monitor) for looking at specific problems (host to host issues) and I use Colasoft Capsa to get a "big picture" view of the network. If I could afford it I'd use Cascade Pilot.
  • Ashley
    Ashley over 12 years
    Have you had experience with this being successful in a sizeable organisation? Do you have any suggested methods for testing or scenarios to test before roll-out to all?
  • Ashley
    Ashley over 12 years
    Yeah, I haven't done anything intensive with regards to packet captures on switches or a large amount of hosts, but the few times I've had to pull out Wireshark to do some diagnosis its been difficult with all the broadcast traffic in there. My question was more from a curiousity stand-point on whether NetBIOS is really needed and whether its safe to disable (less is more? :P).
  • ravi yarlagadda
    ravi yarlagadda over 12 years
    @AshleySteel Sure, I've disabled it completely in a 1500 user organization. I'd normally recommend disabling it on one subnet to test, but since you only have one subnet, maybe just disable it manually on a handful of systems and verify that no applications break?
  • Dan Pritts
    Dan Pritts over 11 years
    IT's pretty simple to remove particular types of traffic from your wireshark capture. the capture filter "not broadcast" will help, for instance.
  • Bill Vallance
    Bill Vallance over 4 years
    Or, keep all of the Wireshark packets and use a display filter to eliminate the traffic you don't want to see on your screen. A capture filter prevents the packet types specified in the capture filter from being captured at all. The display filter just removes the packets you don't want displayed on your screen but keeps them in your capture file.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Find hostname from NetBIOS name
Referencing computers by their name between OS X and Windows operating systems
Find NetBIOS/WINS name of a IP
Does "User name may not be same as computer name" apply to active directory user names
Is NetBIOS really gone on Windows?
Map network drive: "net.exe USE" vs WshNetwork.MapNetworkDrive?
How to get network adapter index?
Copy Files quickly from a mapped network drive
No reply on ping 224.0.0.1
How to list network interfaces, its configuration IP,netmask and gateway in Python/Windows