How to interpret output of nmblookup -A
Each line corresponds to a name that the node has claimed using NetBIOS.
The first field is the name itself.
The second field is the suffix, or the 16th byte of the name, in hexadecimal. It shows the type of this name –
0x00
is "Workstation" (a regular NetBIOS node),0x20
is "Server" (a node running a SMB file server),0x01
is "Browser" (a node that keeps track of all NetBIOS names on the network),0x03
is "Messenger" (a node or a user that can receive popup notifications), and so on, and so on.The third field is unknown to me yet...
The fourth field marks this line as a "group" name – one that multiple node (AFAIK up to 16) may claim at once. In this case, a group name of type
0x00
(Workstation) denotes the workgroup that the node is in (which again has to do with network browsing).The fifth field is the node type (though I don't know why it is a property of each name – AFAIK, it is a setting of the node itself…) – B-nodes use NetBIOS datagrams which are broadcast in the LAN; P-nodes (point-to-point) use a central WINS server; M-nodes (mixed) first try broadcast then WINS when resolving names; H-nodes (hybrid), a later improvement over M-node, first try WINS then broadcast (this is a little faster).
I am not sure of the last two fields. It's likely that
<ACTIVE>
means that the node successfully registered this name; if it ended up a duplicate, it would still be listed in response to a status query, but it would have a different marker. Similarly,<PERMANENT>
is likely to mean that the name doesn't expire, or something.
Further reading:
- The chapter "Browse Service" from "Implementing CIFS" describes network browsing and name types in detail.
Edits welcome.