Submit a ticketCall us

AnnouncementsFace your biggest database issues head-on

Our new eCourse helps you navigate SQL Server performance blocks by teaching you how to recognize and deal with the three DBA Disruptors: Performance Hog, Blame Shifter, and Query Blocker. Register today to learn how to defend your environment and fend off menacing disruptions.

Register for your free eCourse.

Home > Success Center > Network Performance Monitor (NPM) > NPM - Knowledgebase Articles > Disable Netbios UDP 137 traffic

Disable Netbios UDP 137 traffic

Table of contents
Created by Malik Haider, last modified by Kevin Twomey on Jan 18, 2017

Views: 4,420 Votes: 4 Revisions: 10


This article describes the topic about how Orion server uses Netbios (UDP 137) port to reach out to all the devices that are monitored by the Orion. There is an option to disable NetBios Over TCP/IP protocol and write an LMHOSTS  file for the servers that need to be resolved using NB names. By doing so, it prevents NetBios Lookup Query to try and go through your firewall.


**Note NetBios lookups will happen from the Orion engine before a DNS lookup. Also note DNS lookups will only reach out to the first DNS server (Primary DNS) it can reach. This is important to note in case DNS replication is not setup properly and some hosts will not resolve via the primary DNS server.


That's pretty much what I expected with NTA. NTA will take any netflow data that is being sent to it from your layer 3 devices, record the Source and Destination IPs in the flow data, then attempt to resolve the names of those IPs (whether they are valid or not) through DNS and NetBios for display in the web console. It doesn't attempt to confirm whether the IPs are real or not, only that it is seeing it within the flow packets themselves.


The correction to a point however pertains to this: NTA must be configured to allow the NetBios requests to be initiated and for it to be concurrent, it must be set to Persistent name resolution in the NTA settings. Easiest way to confirm is to go to NTA Settings, scroll down to DNS and NetBIOS Resolution and see if Enable
NetBIOS resolution of endpoints is checked. Likely as well, the setting for DNS Resolution Option is set to Persistent as well.


Collects flow packets > parses source\destination IPs in convos > stores the IPs > queues them for name resolution > issues resolution through DNS\LLMNR for everything configured on the server (DNS servers, etc) > issues netbios lookup to whatever it can reach to resolve naming through that method (if enabled) > awaits response > stores name upon return.


We unfortunately do not have any white sheet documentation stating this exact process, at least nothing that we can release, but if it comes into question whether this is intended design I can confirm and I can indicate in the admin guide that NTA can and does attempt naming resolution through NetBIOS.


I'd say your next method to test is to check the NTA Settings page, disable NetBios resolution if it's enabled, then see what happens when you restart the service.


All versions of NPM 


  1.  Go to the Control Panel > Network and Sharing Center> Manage Network Connections.
    Please be sure to disable on the NIC used by the Orion engine in case you have multiple NIC's.
  2.  Select the Interface and then right-click Properties. 





Check NTA Settings to make sure NetBIOS is disabled:


For more details, see the Thwack post below:




Last modified