Network+Advanced11 min read

What Does NetBIOS Mean?

Also known as: Network Basic Input/Output System, NetBIOS, NBNS, NetBIOS over TCP/IP

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

NetBIOS (Network Basic Input/Output System) is a legacy network protocol and API that allows applications on different computers to communicate within a local area network (LAN). Developed by IBM and later adopted by Microsoft, it provides three core services: name service (for registering and resolving computer names), session service (for establishing reliable connections), and datagram service (for connectionless messaging). NetBIOS was designed to work over NetBEUI, IPX/SPX, or TCP/IP (NetBIOS over TCP/IP, NBT). It operates primarily at the Session layer (Layer 5) of the OSI model but also touches the Transport and Network layers when encapsulated. NetBIOS names are 16-character identifiers (15 characters + 1 service type byte) used to identify network resources. While largely replaced by DNS and Active Directory in modern networks, NetBIOS remains relevant in legacy environments and is a common topic on the Network+ exam due to its historical significance and security implications.

Must Know for Exams

The Network+ exam tests NetBIOS in several distinct areas. First, OSI layer identification: candidates must know that NetBIOS operates at the Session layer (Layer 5) and that its services (name, session, datagram) map to specific layers. Second, port numbers: UDP 137 (name service), UDP 138 (datagram service), TCP 139 (session service) are frequently tested.

Third, name resolution: the exam contrasts NetBIOS name resolution (broadcast or WINS) with DNS (hierarchical, scalable). Fourth, security implications: questions may ask why NetBIOS is considered insecure (no authentication, susceptible to poisoning) and how to mitigate it (disable NetBIOS over TCP/IP, use DNS). Fifth, node types (B-node, P-node, M-node, H-node) and their behavior in name resolution are a common exam topic.

Additionally, the exam may include NetBIOS in the context of legacy protocols (NetBEUI, IPX/SPX) and its replacement by DNS and Active Directory. Understanding that NetBIOS names are 16 characters (15 + 1 type byte) is also tested.

Simple Meaning

Imagine a small office building where every employee has a nickname (like "Bob" or "Printer1") instead of a full legal name. When someone wants to send a document to the printer, they shout "Hey, Printer1!" across the hallway.

NetBIOS is like that shouting system: it lets computers find each other by friendly names without needing a phone book (DNS). The problem is that anyone in the building can hear the shout, and a malicious person could pretend to be Printer1 and steal the document. That's why modern networks use a secure directory (like a receptionist who checks IDs) instead of shouting.

NetBIOS was great for small, trusted networks in the 1990s, but it's insecure and inefficient for today's internet-connected environments.

Full Technical Definition

NetBIOS (Network Basic Input/Output System) is a session-layer protocol and API defined in RFC 1001 and RFC 1002 for NetBIOS over TCP/IP (NBT). It operates at OSI Layer 5 (Session) but relies on Transport (Layer 4) and Network (Layer 3) services when encapsulated over TCP/IP. NetBIOS provides three distinct services: (1) Name Service (NetBIOS Name Service, NBNS) on UDP port 137 for name registration and resolution; (2) Datagram Service on UDP port 138 for connectionless messaging; and (3) Session Service on TCP port 139 for connection-oriented communication.

Each NetBIOS name is exactly 16 bytes: 15 alphanumeric characters plus a 16th byte indicating the service type (e.g., 0x00 for workstation, 0x20 for server). Name resolution occurs via broadcast (limited to local subnet) or via a WINS server (Windows Internet Name Service).

NetBIOS names are flat (non-hierarchical), unlike DNS hierarchical names. The protocol includes a node type (B-node, P-node, M-node, H-node) that defines how name resolution is performed. Compared to DNS, NetBIOS is less scalable, less secure (no authentication), and more chatty (broadcast-heavy).

Modern Windows networks rely on DNS and Active Directory, but NetBIOS over TCP/IP is still enabled by default for backward compatibility, creating a common attack vector for name poisoning and relay attacks.

Real-Life Example

A small law firm runs a legacy Windows 2000 server named 'LEGACY-SRV' that hosts shared case files. The firm's 15 workstations are all Windows 10 Pro with NetBIOS over TCP/IP enabled. When a paralegal on 'WS-PARALEGAL' opens '\LEGACY-SRV\Cases', the workstation first checks its local NetBIOS name cache.

If not found, it sends a NetBIOS Name Service broadcast (UDP port 137) asking 'Who is LEGACY-SRV?' The server responds with its IP address (192.168.1.10). The workstation then establishes a NetBIOS session (TCP port 139) to access the shared folder.

Meanwhile, an attacker on the same subnet runs a NetBIOS name poisoning tool, responding to future broadcasts with a fake IP address, redirecting file requests to a rogue server that captures credentials. The firm's IT admin later disables NetBIOS over TCP/IP on all machines and switches to DNS-based name resolution, eliminating the vulnerability.

Why This Term Matters

Understanding NetBIOS is critical for IT professionals because it remains enabled by default on many Windows systems, creating persistent security risks such as name poisoning, relay attacks, and information disclosure. Troubleshooting legacy network issues often requires knowledge of NetBIOS node types, WINS configuration, and broadcast behavior. On the Network+ exam, NetBIOS appears in questions about protocol suites, OSI layers, name resolution methods, and network security.

Mastery of NetBIOS demonstrates foundational understanding of how early networking worked and why modern protocols evolved. For career relevance, knowing when and how to disable NetBIOS safely is a common task in network hardening, and explaining its limitations to stakeholders is a valuable skill.

How It Appears in Exam Questions

Exam questions on NetBIOS often follow these patterns: (1) 'At which OSI layer does NetBIOS operate?' with distractors like Transport or Network. The correct answer is Session layer.

(2) 'Which port does NetBIOS Name Service use?' with options like UDP 137, TCP 139, UDP 138. The correct answer is UDP 137. (3) 'What is a security concern with NetBIOS?' with wrong answers like 'it encrypts all traffic' or 'it requires certificates'.

The correct answer is 'it is susceptible to name poisoning attacks'. (4) 'Which service resolves NetBIOS names to IP addresses?' with distractors like DNS or DHCP. The correct answer is WINS (Windows Internet Name Service).

Common wrong answers include confusing NetBIOS with NetBEUI, thinking NetBIOS is a transport protocol, or assuming it uses TCP port 138 for sessions. Spot the correct answer by focusing on the specific service (name vs. session vs.

datagram) and its associated port.

Practise NetBIOS Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Step 1: A user on 'PC-A' wants to access a shared folder on 'PC-B'. PC-A's operating system checks its local NetBIOS name cache for 'PC-B'. Step 2: The name is not cached, so PC-A sends a NetBIOS Name Service broadcast (UDP port 137) to the local subnet asking 'Who is PC-B?'

Step 3: PC-B receives the broadcast and responds with its IP address (e.g., 192.168.1.5). Step 4: PC-A now knows the IP address and initiates a NetBIOS session by sending a TCP SYN to port 139 on PC-B.

Step 5: PC-B accepts the connection, and a session is established. PC-A can now access the shared folder using the NetBIOS session. The entire process is transparent to the user, who only sees the shared folder appear.

Common Mistakes

NetBIOS operates at the Transport layer of the OSI model.

NetBIOS is a session-layer protocol (Layer 5). It provides session management and name resolution, not end-to-end transport. Transport layer protocols are TCP and UDP.

Remember: NetBIOS = Session layer. TCP/UDP = Transport layer.

NetBIOS uses TCP port 138 for session service.

Session service uses TCP port 139. UDP port 138 is for Datagram service. Confusing these ports is a common error.

Session = TCP 139. Datagram = UDP 138. Name = UDP 137.

NetBIOS is the same as NetBEUI.

NetBIOS is an API/protocol suite; NetBEUI is a transport protocol that can carry NetBIOS. They are not interchangeable. NetBEUI is non-routable; NetBIOS over TCP/IP is routable.

NetBIOS = session layer. NetBEUI = transport protocol. Different layers.

Exam Trap — Don't Get Fooled

{"trap":"Candidates often choose 'NetBIOS uses TCP port 138 for session service' because they misremember the port numbers. The correct answer is TCP 139 for sessions, but the trap answer TCP 138 seems plausible because 138 is associated with NetBIOS.","why_learners_choose_it":"Learners see '138' and 'NetBIOS' together and assume it's for sessions, especially if they haven't memorized the exact port-to-service mapping.

The similarity between 138 and 139 adds confusion.","how_to_avoid_it":"Memorize the triplet: Name (UDP 137), Datagram (UDP 138), Session (TCP 139). Use a mnemonic: 'Name at 7, Datagram at 8, Session at 9.'

Always associate Session with TCP and the highest port number (139)."

Commonly Confused With

NetBIOSvsNetBEUI

NetBIOS is a session-layer API/protocol; NetBEUI is a transport-layer protocol that can carry NetBIOS. NetBEUI is non-routable and limited to LANs, while NetBIOS over TCP/IP is routable.

NetBIOS is like a postal service (session), NetBEUI is like a local delivery truck (transport) that can't leave the neighborhood.

NetBIOSvsWINS

WINS (Windows Internet Name Service) is a server that resolves NetBIOS names to IP addresses. NetBIOS is the protocol that uses WINS. WINS is the phone book; NetBIOS is the phone call.

NetBIOS is the act of asking 'Where is Bob?', WINS is the directory that answers.

Step-by-Step Breakdown

1

Step 1 — Name Registration

When a NetBIOS-enabled device boots, it registers its name by broadcasting a Name Registration request (UDP 137). If no conflict is detected, the name is claimed.

2

Step 2 — Name Resolution Attempt

When a device needs to communicate with another, it first checks its local NetBIOS name cache. If not found, it proceeds to the next step.

3

Step 3 — Broadcast Query (B-node)

If no WINS server is configured, the device sends a broadcast (UDP 137) asking 'Who has this name?' The target responds with its IP address.

4

Step 4 — WINS Query (P-node or H-node)

If a WINS server is configured, the device sends a directed query to the WINS server (UDP 137) instead of broadcasting. The server replies with the IP address.

5

Step 5 — Session Establishment

Once the IP address is known, the device initiates a TCP connection to port 139 on the target. A NetBIOS session is established for reliable data transfer.

Practical Mini-Lesson

NetBIOS is a session-layer API and protocol suite that enables legacy Windows networking. Its core function is to provide name resolution and session management for computers on a LAN. NetBIOS names are 16 characters: 15 for the name and 1 for the service type.

The protocol offers three services: Name Service (UDP 137) for registering and resolving names, Datagram Service (UDP 138) for connectionless messaging, and Session Service (TCP 139) for reliable connections. NetBIOS can run over NetBEUI, IPX/SPX, or TCP/IP (NetBIOS over TCP/IP, NBT). Compared to modern DNS, NetBIOS is flat (non-hierarchical), broadcast-dependent, and insecure.

DNS uses a hierarchical namespace, supports caching, and can be secured with DNSSEC. NetBIOS node types (B-node, P-node, M-node, H-node) determine how name resolution is performed: B-node uses broadcasts only, P-node uses a WINS server, M-node tries broadcast then WINS, and H-node tries WINS then broadcast. The key takeaway for Network+ is that NetBIOS is a legacy protocol still present in many networks for backward compatibility, but it should be disabled when possible due to security risks.

Understanding its ports, OSI layer, and node types is essential for the exam.

Memory Tip

Remember: 'NetBIOS = 16 characters, 3 services, Session layer.' The 16th character is the 'type' byte. For ports: '137 Name, 138 Datagram, 139 Session' — think '1-3-7, 1-3-8, 1-3-9' as a countdown. NetBIOS is 'noisy' (broadcasts) and 'insecure' (no auth).

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Is NetBIOS still used in modern networks?

NetBIOS is largely deprecated in favor of DNS and Active Directory, but it remains enabled by default on many Windows systems for backward compatibility. It is often disabled in secure environments to reduce attack surface.

How does NetBIOS compare to DNS?

NetBIOS uses flat, 16-character names and relies on broadcasts or WINS. DNS uses hierarchical names (e.g., host.domain.com) and is scalable, secure (DNSSEC), and routable. DNS has largely replaced NetBIOS for name resolution.

What is a NetBIOS node type?

Node types define how a NetBIOS device resolves names: B-node (broadcast only), P-node (WINS only), M-node (broadcast then WINS), H-node (WINS then broadcast). H-node is the default in modern Windows.

Why is NetBIOS considered a security risk?

NetBIOS broadcasts are unauthenticated, allowing any device on the subnet to respond to name queries (name poisoning). This can redirect traffic to malicious servers, enabling credential theft or man-in-the-middle attacks.

Can NetBIOS work over the internet?

NetBIOS over TCP/IP (NBT) can technically be routed, but it is not designed for WAN use. It is insecure and inefficient over the internet. Modern networks use VPNs or direct TCP/IP without NetBIOS.

Summary

(1) NetBIOS is a legacy session-layer protocol suite that provides name resolution, session management, and datagram services for Windows networking. (2) Its key technical property is the 16-character flat name (15 chars + 1 type byte) and its reliance on broadcasts or WINS for name resolution. (3) The most important exam fact: NetBIOS Name Service uses UDP port 137, Datagram Service uses UDP port 138, and Session Service uses TCP port 139.

Remember that NetBIOS is insecure and should be disabled in modern networks.