 | 1 | initial version |
Without having your packet trace to look at, the presence of the NBSTAT queries may or may not be related to your use of the Window tracert command. You might see DNS name queries as well.
When using Window's tracert command try adding the /d option ("Do not resolve addresses to hostnames") to your tracert command and see if your "NBSTAT" queries go away.
The default behavior for Window's tracert is to try to resolve the source IP address of any ICMP packet received. Starting with an ip.ttl==1, three outbound ICMP echo packets will be sent. Assuming that the target machine is not on the same IPv4 network segment, the first hop router will typically reply with ICMP TTL exceeded in transmit responses. Windows will then to determine the hostname of the device that sent these responses. Then the next set of three ICMP echo packets are sent with the ip.ttl increased by one and again by default Windows will try to determine the hostname(s) of these second set of responses and so on.
On many *nix-like systems the traceroute command typically uses the -n option for the same purpose as Window's tracert /d option. The man page for the traceroute on one of my Redhat system defines the -n option as "Do not try to map IP addresses to host names when displaying them.". Similarly on one of my macOS systems the -n option is defined as "Print hop addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup for each gateway found on the path).".
Interestingly on one my Ubuntu systems with GNU's inetutils based traceroute installed no name lookups are performed by default. Instead one has to supply the long option --resolve-hostnames to actually force GNU traceroute to attempt the ip address to hostname lookups.
| | 2 | No.2 Revision |
Without having your packet trace to look at, the presence of the NBSTAT queries may or may not be related to your use of the Window tracert command. You might see DNS name queries as well.
When using Window's tracert command try adding the /d option ("Do not resolve addresses to hostnames") to your tracert command and see if your "NBSTAT" queries go away.
The default behavior for Window's tracert is to try to resolve the source IP address of any ICMP packet received. Starting with an ip.ttl==1, three outbound ICMP echo packets will be sent. Assuming that the target machine is not on the same IPv4 network segment, the first hop router will typically reply with ICMP TTL exceeded in transmit responses. Windows will then to determine the hostname of the device that sent these responses. Then the next set of three ICMP echo packets are sent with the ip.ttl increased by one and again by default Windows will try to determine the hostname(s) of these second set of responses and so on.
On many *nix-like systems the traceroute command typically uses the -n option for the same purpose as Window's tracert /d option. The man page for the traceroute on one of my Redhat system defines the -n option as "Do not try to map IP addresses to host names when displaying them.". Similarly on one of my macOS systems the -n option is defined as "Print hop addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup for each gateway found on the path).".
Interestingly on one my Ubuntu systems with GNU's inetutils based traceroute installed no does not do name lookups are performed by default. Instead one has to supply the long option --resolve-hostnames to actually force GNU traceroute to attempt the ip address to hostname lookups.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
