Port 138 NetBios DGM UDP
Results 1 to 9 of 9

Thread: Port 138 NetBios DGM UDP

  1. #1
    Member
    Join Date
    Aug 2005
    Posts
    62

    Post Port 138 NetBios DGM UDP

    Hi All,
    Let me start out by saying up front that I am a newbie. I have read many of y'all's posts and many of them have already helped me a lot. I work for a small business as a network administrator, and am still at the low end of the learning curve.
    We have a hardware SonicWall (which I am still trying to learn all the features), and I have been reviewing the firewall and IDS logs. About half of the traffic is from one of two IPs talking to port 138 (NetBios DGM). We are running DHCP on a Windows Server 2000 with XP computers on the network. We aren't running any applications on the network that would create such traffic (I don't know what more you might need to know to help me out).
    Here's my questions: Is this traffic normal? What is it doing? Should I be concerned?

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    You need to give details about NetBios DGM packets you are observing.

    If you want a comprehnsive insight into Netbios etc . Check out the follwong book (Its gr8 !!!)

    http://ubiqx.org/cifs/

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    There isnt an application as such that creates netbios traffic, as in it is nothing that you install, if you have netbios enabled on a windows pc then they will create netbios traffic - it is used for file sharing and things like that.

    Check if the IP Address that created the traffic are ones that are on your network and also that the destination IP is one on your network too.

    You can turn it off if you need to but first check that your network does not need it enabled!

    The easiest way to disble it is to click on you connection monitors in your system tray then go > Properties > TCP/IP > Properties > Advanced >WINS at the bottom you will see the options for netbios.

    Obviously if no data getts TX'd on your network enable it before anyone notices!!!
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  4. #4
    Member
    Join Date
    Aug 2005
    Posts
    62
    Thanks Warl0ck7, that was a very informative site. Nokia, we do a lot of file sharing over the network. From what I can tell, the IPs aren't PCs on the network. They are local (192.168.1...) addresses, but not anyone's PC. Is there anything else it could be? I don't know if this helps but they are fron 192.168.1.200, 201, and 255. But all traffic on the three IPs is on port 138.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    255 is the broadcast address. do you have any tcp printers or routers?

    her's a very small portion of one of my logs:

    2005-08-13 04:01:01 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
    2005-08-13 04:01:01 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
    2005-08-13 04:02:33 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
    2005-08-13 04:02:33 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
    2005-08-13 04:03:53 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->10.0.0.3:138, Owner: SYSTEM
    2005-08-13 04:04:17 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
    2005-08-13 04:04:17 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
    2005-08-13 04:04:28 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
    2005-08-13 04:04:28 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
    2005-08-13 04:08:23 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->dc1.xxxx.com [10.0.0.3:138], Owner: SYSTEM
    2005-08-13 04:12:59 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
    2005-08-13 04:12:59 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
    2005-08-13 04:14:32 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
    2005-08-13 04:14:32 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
    2005-08-13 04:15:58 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->10.0.0.3:138, Owner: SYSTEM
    2005-08-13 04:19:17 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
    2005-08-13 04:19:17 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
    2005-08-13 04:19:28 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
    2005-08-13 04:19:28 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
    2005-08-13 04:20:28 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->dc1.xxxx.com [10.0.0.3:138], Owner: SYSTEM
    2005-08-13 04:25:01 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
    2005-08-13 04:25:01 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM


    nbname and nbdatagram packets are sent out when a machine comes online to "announce its existance," figure out what the current "browse list" is (for things like Network Neighborhood), and who is the "master browser" (the "keeper" of the browse list). As such, large networks with lots of Windows-based machines (Workgroups, 95, NT) tend to generate lots of these packets,...

    http://www.txwes.edu/~jvortega/security/fw-1/0055.html
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Member
    Join Date
    Aug 2005
    Posts
    62
    Yes, I have some tcp routers. I'm not sure about the printers.
    So, I guess this is just normal broadcast traffic?

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i would say so BlackHatHunter !

    ps sorry i should have said routers and tcp printers (by that i mean printers attached directly to the network without being shared off another computer)

    if you use something like superscan and scan 192.168.1.1 -192.168.1.254 for port 23 (telnet) or maybe even port 80 (web server) you should be able to find any routers or printers that are in that range.


    BTW if you get a free copy of syslogd from kiwi software and telnet to any printers you may have you can set them to send syslog messages to syslogd and be able to tell if your printers are having trouble or running out of tonner before your called...might impress your boss.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Member
    Join Date
    Aug 2005
    Posts
    62
    Do you have any links to syslogd or superscan?
    All our printers are networked through PCs.

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    here's one for syslod:

    http://www.kiwisyslog.com/software_downloads.htm

    but like you said you dont have any network printers but this will except syslog messages from many things that can sends them...fw's etc.

    SuperScan can be had here:

    http://www.foundstone.com/index.htm?.../superscan.htm

    of course nmap is a much better scanner but this does a real fine job and has a much lighter footprint
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •