[Wolves] Any Idea whats going on?

James Turner james at turnersoft.co.uk
Tue Apr 19 19:40:24 BST 2005

On Tuesday 19 Apr 2005 13:32, David Goodwin wrote:
> Peter Cannon wrote:
> > Hi All
> >
> > Am I being attacked/probed?
> >
> > I'm no firewall/network expert, but I've just had this log message and
> > everyone is out here at the moment so I cant ask my guys whats going on.
> >
> > Am I being paranoid?
> >
> > I've not seen this before, any ideas?
> Hi,
> Port 137 is one of the Microsoft networking things (netbios-ns)
> so it's probable that windows computers are trying to ask you for name
> lookups.

With all acronyms expanded:
netbios-ns = Network Basic Input/Output System Name Service

If I recall correctly:

By default all Windows NT/2000/XP machines that have the "Server" service 
running (or Windows 9x machines with at least one network share) periodically 
make network broadcasts announcing their machine name along with certain 
details of the NetBIOS-based services they are running. This is used to 
construct the workgroup information that appears in Network Neighborhood/My 
Network Places.

The list of machines available on the network is maintained by a specific 
machine known as the master browser (or various other names, including 
swearwords when the mechanism doesn't work properly, which is most of the 
time in my experience). The master browser is selected semi-automatically 
acording to various arcane rules relating to OS version, uptime, etc.

As an alternative, it is possible to manage the machine names using a WINS 
(Windows Internet Name System) server, which also gets round the limitation 
of name lookup being limited to a single network segment (being 
broadcast-based). As an even newer alternative, you could just use TCP/IP and 
DNS. (Microsoft finally realised that their proprietary network protocol is 
rubbish and did an "embrace and extend" job on DNS instead, for use with 
Active Directory).

> > Logged 120 packets on interface eth0
> >   From - 12 packets to udp(137)

If eth0 is connected to your local LAN then this is just normal "chatter" from 
neighbouring Windows machines and is nothing to worry about. If eth0 is 
connected to the Internet (i.e. the external interface on a firewall router) 
then traffic to TCP and UDP ports 137-139 should be blocked.

> >   From - 3 packets to udp(32922)

This is probably the client end of UDP communication to the above machine and 
nothing to worry about, although it's not possible to say with 100% certainty 
without knowing the specific network setup, sniffing the packet, etc.



More information about the Wolves mailing list