[Wolves] Any Idea whats going on?
James Turner
james at turnersoft.co.uk
Tue Apr 19 19:40:24 BST 2005
On Tuesday 19 Apr 2005 13:32, David Goodwin wrote:
> Peter Cannon wrote:
> > Hi All
> >
> > Am I being attacked/probed?
> >
> > I'm no firewall/network expert, but I've just had this log message and
> > everyone is out here at the moment so I cant ask my guys whats going on.
> >
> > Am I being paranoid?
> >
> > I've not seen this before, any ideas?
>
> Hi,
>
> Port 137 is one of the Microsoft networking things (netbios-ns)
> so it's probable that windows computers are trying to ask you for name
> lookups.
With all acronyms expanded:
netbios-ns = Network Basic Input/Output System Name Service
If I recall correctly:
By default all Windows NT/2000/XP machines that have the "Server" service
running (or Windows 9x machines with at least one network share) periodically
make network broadcasts announcing their machine name along with certain
details of the NetBIOS-based services they are running. This is used to
construct the workgroup information that appears in Network Neighborhood/My
Network Places.
The list of machines available on the network is maintained by a specific
machine known as the master browser (or various other names, including
swearwords when the mechanism doesn't work properly, which is most of the
time in my experience). The master browser is selected semi-automatically
acording to various arcane rules relating to OS version, uptime, etc.
As an alternative, it is possible to manage the machine names using a WINS
(Windows Internet Name System) server, which also gets round the limitation
of name lookup being limited to a single network segment (being
broadcast-based). As an even newer alternative, you could just use TCP/IP and
DNS. (Microsoft finally realised that their proprietary network protocol is
rubbish and did an "embrace and extend" job on DNS instead, for use with
Active Directory).
> > Logged 120 packets on interface eth0
> > From 192.168.10.13 - 12 packets to udp(137)
If eth0 is connected to your local LAN then this is just normal "chatter" from
neighbouring Windows machines and is nothing to worry about. If eth0 is
connected to the Internet (i.e. the external interface on a firewall router)
then traffic to TCP and UDP ports 137-139 should be blocked.
> > From 192.168.10.16 - 3 packets to udp(32922)
This is probably the client end of UDP communication to the above machine and
nothing to worry about, although it's not possible to say with 100% certainty
without knowing the specific network setup, sniffing the packet, etc.
Regards,
James
More information about the Wolves
mailing list