----- Original Message ----- From: Robert Graham <robert_david_grahamat_private> To: Joerg Walter <joerg.walterat_private>; <firewall-wizardsat_private> Sent: Donnerstag, 17. Februar 2000 02:58 Subject: Re: many attempts to Port 137 (NetBIOS-NameService) > I wouldn't be worried: > http://www.robertgraham.com/pubs/firewall-seen.html#port137 good site, very informative :-)) > Are the source ports 137 as well? A 137->137 packet is almost certainly a > request from a Windows machine, or a response. For example, you might have a > machine internally sending out NetBIOS requests, and these might be the > responses. Most of the packets have Source-Port > 1024 but some have Port 137 as well. I will check out, if there are any machines in the inside-net, which probably try to resolve Host-Names via NetBIOS. Maybe these incoming packets are just the responses. Thanks for your help! - Joerg Walter > Alternatively, for some reason, these might be Windows machines trying to do a > reverse DNS lookup on your machine. If the DNS server doesn't respond in a > timely manner, Windows machines will give up and try a NetBIOS query to resolve > your name. This is part of Microsoft's Winsock implementation, so it is an OS > thing rather than an application thing. I know this is weird advice: check your > DNS server, it may fix the problem. > > In any event, grab a packet sniffer (like tcpdump, which is probably installed > by default on your Linux box) and capture the packets to a file. If you send me > the file; I could probably figure out what these NetBIOS packets are looking > for (warning: you would be disclosing sensitive info if you did this). > > Rob.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:33 PDT