Port 138 NetBios DGM UDP

**BlackHatHunter** · August 12th, 2005, 10:24 PM

Hi All,
Let me start out by saying up front that I am a newbie. I have read many of y'all's posts and many of them have already helped me a lot. I work for a small business as a network administrator, and am still at the low end of the learning curve.

We have a hardware SonicWall (which I am still trying to learn all the features), and I have been reviewing the firewall and IDS logs. About half of the traffic is from one of two IPs talking to port 138 (NetBios DGM). We are running DHCP on a Windows Server 2000 with XP computers on the network. We aren't running any applications on the network that would create such traffic (I don't know what more you might need to know to help me out).
Here's my questions: Is this traffic normal? What is it doing? Should I be concerned?

**warl0ck7** · August 13th, 2005, 10:58 AM

You need to give details about NetBios DGM packets you are observing.

If you want a comprehnsive insight into Netbios etc . Check out the follwong book (Its gr8 !!!)

http://ubiqx.org/cifs/

***Nokia*** · August 13th, 2005, 04:56 PM

There isnt an application as such that creates netbios traffic, as in it is nothing that you install, if you have netbios enabled on a windows pc then they will create netbios traffic - it is used for file sharing and things like that.

Check if the IP Address that created the traffic are ones that are on your network and also that the destination IP is one on your network too.

You can turn it off if you need to but first check that your network does not need it enabled!

The easiest way to disble it is to click on you connection monitors in your system tray then go > Properties > TCP/IP > Properties > Advanced >WINS at the bottom you will see the options for netbios.

Obviously if no data getts TX'd on your network enable it before anyone notices!!!

**BlackHatHunter** · August 15th, 2005, 03:31 PM

Thanks Warl0ck7, that was a very informative site. Nokia, we do a lot of file sharing over the network. From what I can tell, the IPs aren't PCs on the network. They are local (192.168.1...) addresses, but not anyone's PC. Is there anything else it could be? I don't know if this helps but they are fron 192.168.1.200, 201, and 255. But all traffic on the three IPs is on port 138.

***Tedob1*** · August 15th, 2005, 03:52 PM

255 is the broadcast address. do you have any tcp printers or routers?

her's a very small portion of one of my logs:

2005-08-13 04:01:01 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:01:01 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:02:33 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
2005-08-13 04:02:33 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:03:53 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->10.0.0.3:138, Owner: SYSTEM
2005-08-13 04:04:17 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
2005-08-13 04:04:17 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:04:28 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:04:28 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:08:23 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->dc1.xxxx.com [10.0.0.3:138], Owner: SYSTEM
2005-08-13 04:12:59 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:12:59 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:14:32 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
2005-08-13 04:14:32 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:15:58 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->10.0.0.3:138, Owner: SYSTEM
2005-08-13 04:19:17 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
2005-08-13 04:19:17 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:19:28 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:19:28 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:20:28 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->dc1.xxxx.com [10.0.0.3:138], Owner: SYSTEM
2005-08-13 04:25:01 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:25:01 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM

nbname and nbdatagram packets are sent out when a machine comes online to "announce its existance," figure out what the current "browse list" is (for things like Network Neighborhood), and who is the "master browser" (the "keeper" of the browse list). As such, large networks with lots of Windows-based machines (Workgroups, 95, NT) tend to generate lots of these packets,...

http://www.txwes.edu/~jvortega/security/fw-1/0055.html

**BlackHatHunter** · August 16th, 2005, 07:15 PM

Yes, I have some tcp routers. I'm not sure about the printers.
So, I guess this is just normal broadcast traffic?

***Tedob1*** · August 16th, 2005, 10:24 PM

i would say so BlackHatHunter !

ps sorry i should have said routers and tcp printers (by that i mean printers attached directly to the network without being shared off another computer)

if you use something like superscan and scan 192.168.1.1 -192.168.1.254 for port 23 (telnet) or maybe even port 80 (web server) you should be able to find any routers or printers that are in that range.

BTW if you get a free copy of syslogd from kiwi software and telnet to any printers you may have you can set them to send syslog messages to syslogd and be able to tell if your printers are having trouble or running out of tonner before your called...might impress your boss.

**BlackHatHunter** · August 16th, 2005, 11:27 PM

Do you have any links to syslogd or superscan?
All our printers are networked through PCs.

***Tedob1*** · August 17th, 2005, 03:34 AM

here's one for syslod:

http://www.kiwisyslog.com/software_downloads.htm

but like you said you dont have any network printers but this will except syslog messages from many things that can sends them...fw's etc.

SuperScan can be had here:

http://www.foundstone.com/index.htm?.../superscan.htm

of course nmap is a much better scanner but this does a real fine job and has a much lighter footprint

Thread: Port 138 NetBios DGM UDP

Thread Tools

Display

Port 138 NetBios DGM UDP

Posting Permissions