Results 1 to 5 of 5

Thread: Firewall log

  1. #1

    Firewall log

    Does this seem like normal activity?
    Its a wireless network and its been extermely slow. It seems to me its either a bad device on the network or a DOS please let me know what you think

    Thanks


    Here is a part of the log

    #Verson: 1.0
    #Software: Microsoft Internet Connection Firewall
    #Time Format: Local
    #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info

    2004-09-23 08:22:26 DROP UDP 10.101.2.154 10.101.255.255 138 138 233 - - - - - - -
    2004-09-23 08:22:37 DROP UDP 10.101.2.176 10.101.255.255 138 138 234 - - - - - - -
    2004-09-23 08:22:45 DROP UDP 10.101.2.129 10.101.255.255 138 138 202 - - - - - - -
    2004-09-23 08:22:49 DROP UDP 10.101.2.62 10.101.255.255 138 138 202 - - - - - - -
    2004-09-23 08:22:50 DROP UDP 10.101.2.129 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:22:51 DROP UDP 10.101.2.129 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:22:51 DROP UDP 10.101.2.129 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:22:53 DROP UDP 10.101.2.62 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:22:54 DROP UDP 10.101.2.62 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:22:56 DROP UDP 10.101.2.215 10.101.255.255 138 138 244 - - - - - - -
    2004-09-23 08:22:57 DROP UDP 10.101.2.62 10.101.255.255 138 138 202 - - - - - - -
    2004-09-23 08:22:58 DROP UDP 10.101.2.129 10.101.255.255 138 138 202 - - - - - - -
    2004-09-23 08:22:59 DROP UDP 10.101.2.62 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:00 DROP UDP 10.101.2.129 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:02 DROP UDP 10.101.2.62 10.101.255.255 138 138 202 - - - - - - -
    2004-09-23 08:23:02 DROP UDP 10.101.2.62 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:03 DROP UDP 10.101.2.129 10.101.255.255 138 138 211 - - - - - - -
    2004-09-23 08:23:04 DROP UDP 10.101.2.186 10.101.255.255 138 138 223 - - - - - - -
    2004-09-23 08:23:04 CLOSE UDP 10.101.2.241 10.10.11.125 3009 53 - - - - - - - -
    2004-09-23 08:23:04 CLOSE UDP 10.101.2.241 10.10.11.126 3009 53 - - - - - - - -
    2004-09-23 08:23:04 CLOSE UDP 10.101.2.241 10.10.11.126 3282 53 - - - - - - - -
    2004-09-23 08:23:04 CLOSE TCP 10.101.2.241 10.10.11.184 3284 80 - - - - - - - -
    2004-09-23 08:23:04 CLOSE TCP 10.101.2.241 10.10.11.184 3283 80 - - - - - - - -
    2004-09-23 08:23:05 DROP UDP 10.101.2.246 10.101.255.255 138 138 219 - - - - - - -
    2004-09-23 08:23:06 DROP UDP 10.101.2.62 10.101.255.255 138 138 225 - - - - - - -
    2004-09-23 08:23:07 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:08 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:08 DROP UDP 10.101.2.62 10.101.255.255 138 138 225 - - - - - - -
    2004-09-23 08:23:10 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:11 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:12 DROP UDP 10.101.2.120 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:12 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:13 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:14 DROP UDP 10.101.2.62 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:23:14 DROP UDP 10.101.2.62 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:23:15 DROP UDP 10.101.2.62 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:23:16 DROP UDP 10.101.2.62 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:23:21 DROP UDP 10.101.2.62 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:23:22 DROP UDP 10.101.2.62 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:23:23 DROP UDP 10.101.2.62 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:23:23 DROP UDP 10.101.2.62 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:23:24 DROP UDP 10.101.2.62 10.101.255.255 138 138 243 - - - - - - -
    2004-09-23 08:23:24 DROP UDP 10.101.2.142 255.255.255.255 1029 192 144 - - - - - - -
    2004-09-23 08:23:27 DROP UDP 10.101.2.62 10.101.255.255 138 138 245 - - - - - - -
    2004-09-23 08:23:29 DROP UDP 10.101.2.62 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:30 DROP UDP 10.101.2.62 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:31 DROP UDP 10.101.2.62 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:32 DROP UDP 10.101.2.62 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:36 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:36 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:37 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:39 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:39 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:42 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:42 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:43 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:44 DROP UDP 10.101.2.145 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:51 DROP UDP 10.101.2.124 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:51 DROP UDP 10.101.2.124 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:23:52 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - -
    2004-09-23 08:23:53 DROP UDP 0.0.0.0 255.255.255.255 68 67 336 - - - - - - -
    2004-09-23 08:24:01 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:02 DROP UDP 10.101.2.36 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:24:02 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:03 DROP UDP 10.101.2.36 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:24:03 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:04 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:05 DROP UDP 10.101.2.133 10.101.255.255 138 138 229 - - - - - - -
    2004-09-23 08:24:06 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:06 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:07 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:07 DROP UDP 10.101.2.120 10.101.255.255 138 138 229 - - - - - - -
    2004-09-23 08:24:08 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:09 DROP UDP 10.101.2.106 10.101.255.255 138 138 257 - - - - - - -
    2004-09-23 08:24:10 DROP UDP 10.101.2.98 10.101.255.255 138 138 240 - - - - - - -
    2004-09-23 08:24:11 DROP UDP 10.101.2.36 10.101.255.255 138 138 205 - - - - - - -
    2004-09-23 08:24:11 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - -
    2004-09-23 08:24:12 DROP UDP 0.0.0.0 255.255.255.255 68 67 334 - - - - - - -
    2004-09-23 08:24:13 DROP UDP 10.101.2.68 10.101.255.255 138 138 229 - - - - - - -
    2004-09-23 08:24:14 DROP UDP 10.101.2.36 10.101.255.255 138 138 205 - - - - - - -
    2004-09-23 08:24:14 DROP UDP 10.101.2.186 10.101.255.255 138 138 247 - - - - - - -
    2004-09-23 08:24:15 DROP UDP 10.101.2.36 10.101.255.255 138 138 217 - - - - - - -
    2004-09-23 08:24:16 DROP UDP 10.101.2.102 10.101.255.255 138 138 216 - - - - - - -
    2004-09-23 08:24:17 DROP UDP 10.101.2.234 10.101.255.255 138 138 204 - - - - - - -
    2004-09-23 08:24:18 DROP UDP 10.101.2.36 10.101.255.255 138 138 217 - - - - - - -
    2004-09-23 08:24:19 DROP UDP 10.101.2.234 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:24:20 DROP UDP 10.101.2.234 10.101.255.255 138 138 204 - - - - - - -
    2004-09-23 08:24:21 DROP UDP 10.101.2.178 10.101.255.255 138 138 202 - - - - - - -
    2004-09-23 08:24:22 DROP UDP 10.101.2.62 10.101.255.255 138 138 225 - - - - - - -
    2004-09-23 08:24:24 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:25 DROP UDP 10.101.2.178 10.101.255.255 138 138 202 - - - - - - -
    2004-09-23 08:24:25 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:26 DROP UDP 10.101.2.178 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:24:26 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:28 DROP UDP 10.101.2.156 10.101.255.255 138 138 229 - - - - - - -
    2004-09-23 08:24:29 DROP UDP 10.101.2.178 10.101.255.255 138 138 211 - - - - - - -
    2004-09-23 08:24:31 DROP UDP 10.101.2.178 10.101.255.255 138 138 219 - - - - - - -
    2004-09-23 08:24:31 DROP UDP 10.101.2.102 10.101.255.255 138 138 245 - - - - - - -
    2004-09-23 08:24:31 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:32 DROP UDP 10.101.2.174 10.101.255.255 138 138 226 - - - - - - -
    2004-09-23 08:24:32 DROP UDP 10.101.2.36 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:33 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - -
    2004-09-23 08:24:34 DROP UDP 10.101.2.108 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:24:34 DROP UDP 10.101.2.36 10.101.255.255 138 138 205 - - - - - - -
    2004-09-23 08:24:35 DROP UDP 10.101.2.108 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:24:36 DROP UDP 10.101.2.68 10.101.255.255 138 138 229 - - - - - - -
    2004-09-23 08:24:37 DROP UDP 10.101.2.234 10.101.255.255 138 138 216 - - - - - - -
    2004-09-23 08:24:38 DROP UDP 10.101.2.134 10.101.255.255 138 138 214 - - - - - - -
    2004-09-23 08:24:38 DROP UDP 10.101.2.136 10.101.255.255 138 138 219 - - - - - - -
    2004-09-23 08:24:39 DROP UDP 10.101.2.68 10.101.255.255 138 138 217 - - - - - - -
    2004-09-23 08:24:39 DROP UDP 10.101.2.134 10.101.255.255 138 138 214 - - - - - - -
    2004-09-23 08:24:40 DROP UDP 10.101.2.174 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:40 DROP UDP 10.101.2.134 10.101.255.255 138 138 251 - - - - - - -
    2004-09-23 08:24:41 DROP UDP 10.101.2.62 10.101.255.255 138 138 225 - - - - - - -
    2004-09-23 08:24:42 DROP UDP 10.101.2.174 10.101.255.255 137 137 96 - - - - - - -
    2004-09-23 08:24:44 DROP UDP 0.0.0.0 255.255.255.255 68 67 349 - - - - - - -
    2004-09-23 08:24:45 DROP UDP 10.101.2.229 10.101.255.255 138 138 229 - - - - - - -
    2004-09-23 08:24:46 DROP UDP 10.101.2.220 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:24:47 DROP UDP 10.101.2.220 10.101.255.255 137 137 78 - - - - - - -
    2004-09-23 08:24:47 DROP UDP 10.101.2.136 10.101.255.255 138 138 243 - - - - - - -

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Seems to me like:-

    1. All the devices on the network are going crazy and broadcasting away, or

    2. Someone is playing silly buggers and spoofing the IP's.

    Put Ethereal out there and see if the MAC addresses are all the same. If they are then someone is DoSing the network. If they aren't then the network is going nutz....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    You haven't provided any network "context"... Is this a home network or corporate? How many computers -are supposed to be- on it? All running windows (version?) right? Without such info it's hard to say if this is legitimate traffic or not...

    Nevertheless, let's assume...:

    This seems like traffic from windows computers using WINS name resolution without a WINS server, thus leading to much broadcast traffic on port 137.

    As for traffic on port 138, which is the netbios datagram service, it's a result of various host/workgroup/local master announcements made by each windows hosts.

    So to answer your questions:
    "Does this seem like normal activity?": Yes.
    "Does this affect network performance?": It could.

    This network would benefit from either
    - having a WINS server
    - switching to SMB over TCP (port 445) with DNS resolution instead of netbios+wins.
    - using smaller broadcast domains (ie: more ip subnets + routing)

    My 0.02$ (CDN... which is at its highest value in years right now!)


    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Thanks alot of the response tiger end ammo,
    This is a schools network and i think the largest number of clients on the wireless network at one time is no more than 80, mostly windows systems. When i run ipconfig /all the ip of the wins server is the same as one of the DNS servers. this means they are using DNS instead of wins right????

    So im guessing there are too many users on the network and the school needs to add more broadcast domains, right ?

    Thanks

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by coderecycle

    This is a schools network and i think the largest number of clients on the wireless network at one time is no more than 80, mostly windows systems.
    Hmm... Is this on a single access point and/or channel? 802.11b or g?


    When i run ipconfig /all the ip of the wins server is the same as one of the DNS servers. this means they are using DNS instead of wins right????
    Well, not really as wins and dns can still be used in parallel. What's interesting though is that you still see this much wins bcast eventhough there's a wins server present. Can you tell me what Wins node type is set on the computers (also shown in ipconfig /all)? I would bet that they are set as b-nodes or m-nodes which are broadcast only and broadcast first then query wins server. If so, they should be changed to h-nodes (query first then broadcast) by dhcp options.


    So im guessing there are too many users on the network and the school needs to add more broadcast domains, right ?
    Well, 80 machines isn't necessarly too much for a single subnet, but personnaly I usually like to keep my windows hosts subnets under 50. For example, I'd ususally have a subnet (and vlan) for each computer lab, department... Not only does it help reduce broadcast traffic but it also prevents sniffing/connection hijacking through ARP spoofing/poisoning.

    Thanks
    You're quite welcome


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •