Here are some example tcpdumps of the netbios probes: tcpdump -xX -v -i eth1 udp port 137 11:10:54.373723 200-158-48-226.dsl.telesp.net.br.1025 > ca-crlsca-cuda2-c6a.crlsca.adelphia.net.netbios-ns: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x100 OpCode=0 NmFlags=0x1 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=* NameType=0x00 (Workstation) QuestionType=0x21 QuestionClass=0x1 (ttl 102, id 22089, len 78) 0x0000 4500 004e 5649 0000 6611 c8a8 c89e 30e2 E..NVI..f.....0. 0x0010 4446 f7e6 0401 0089 003a 85f9 0100 0010 DF.......:...... 0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA 0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!.. 11:12:25.241600 209.136.250.227.1030 > ca-crlsca-cuda2-c6a.crlsca.adelphia.net.netbios-ns: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x100 OpCode=0 NmFlags=0x1 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=* NameType=0x00 (Workstation) QuestionType=0x21 QuestionClass=0x1 (ttl 46, id 7690, len 78) 0x0000 4500 004e 1e0a 0000 2e11 65fc d188 fae3 E..N......e..... 0x0010 4446 f7e6 0406 0089 003a b308 0100 0010 DF.......:...... 0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA 0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!.. | > | > Packet contents seem to be "normal". | | Yep. Look normal here too. | Scott ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 14:19:10 PDT