-
August 12th, 2005, 10:24 PM
#1
-
August 13th, 2005, 10:58 AM
#2
You need to give details about NetBios DGM packets you are observing.
If you want a comprehnsive insight into Netbios etc . Check out the follwong book (Its gr8 !!!)
http://ubiqx.org/cifs/
-
August 13th, 2005, 04:56 PM
#3
There isnt an application as such that creates netbios traffic, as in it is nothing that you install, if you have netbios enabled on a windows pc then they will create netbios traffic - it is used for file sharing and things like that.
Check if the IP Address that created the traffic are ones that are on your network and also that the destination IP is one on your network too.
You can turn it off if you need to but first check that your network does not need it enabled!
The easiest way to disble it is to click on you connection monitors in your system tray then go > Properties > TCP/IP > Properties > Advanced >WINS at the bottom you will see the options for netbios.
Obviously if no data getts TX'd on your network enable it before anyone notices!!!
-
August 15th, 2005, 03:31 PM
#4
Member
Thanks Warl0ck7, that was a very informative site. Nokia, we do a lot of file sharing over the network. From what I can tell, the IPs aren't PCs on the network. They are local (192.168.1...) addresses, but not anyone's PC. Is there anything else it could be? I don't know if this helps but they are fron 192.168.1.200, 201, and 255. But all traffic on the three IPs is on port 138.
-
August 15th, 2005, 03:52 PM
#5
255 is the broadcast address. do you have any tcp printers or routers?
her's a very small portion of one of my logs:
2005-08-13 04:01:01 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:01:01 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:02:33 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
2005-08-13 04:02:33 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:03:53 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->10.0.0.3:138, Owner: SYSTEM
2005-08-13 04:04:17 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
2005-08-13 04:04:17 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:04:28 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:04:28 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:08:23 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->dc1.xxxx.com [10.0.0.3:138], Owner: SYSTEM
2005-08-13 04:12:59 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:12:59 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:14:32 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
2005-08-13 04:14:32 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:15:58 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->10.0.0.3:138, Owner: SYSTEM
2005-08-13 04:19:17 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->192.168.6.255:138, Owner: SYSTEM
2005-08-13 04:19:17 Local7.Debug anothercomputerRule 'any': Permitted: In UDP, WAY_LCOS.xxxx.com [192.168.6.12:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:19:28 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:19:28 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
2005-08-13 04:20:28 Local7.Debug anothercomputerRule 'any': Permitted: Out UDP, localhost:138->dc1.xxxx.com [10.0.0.3:138], Owner: SYSTEM
2005-08-13 04:25:01 Local7.Debug somecomputer Rule 'all': Permitted: Out UDP, localhost:138->192.168.16.255:138, Owner: SYSTEM
2005-08-13 04:25:01 Local7.Debug somecomputer Rule 'all': Permitted: In UDP, somecomputer.xxxx.com [192.168.16.10:138]->localhost:138, Owner: SYSTEM
nbname and nbdatagram packets are sent out when a machine comes online to "announce its existance," figure out what the current "browse list" is (for things like Network Neighborhood), and who is the "master browser" (the "keeper" of the browse list). As such, large networks with lots of Windows-based machines (Workgroups, 95, NT) tend to generate lots of these packets,...
http://www.txwes.edu/~jvortega/security/fw-1/0055.html
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
August 16th, 2005, 07:15 PM
#6
Member
Yes, I have some tcp routers. I'm not sure about the printers.
So, I guess this is just normal broadcast traffic?
-
August 16th, 2005, 10:24 PM
#7
i would say so BlackHatHunter !
ps sorry i should have said routers and tcp printers (by that i mean printers attached directly to the network without being shared off another computer)
if you use something like superscan and scan 192.168.1.1 -192.168.1.254 for port 23 (telnet) or maybe even port 80 (web server) you should be able to find any routers or printers that are in that range.
BTW if you get a free copy of syslogd from kiwi software and telnet to any printers you may have you can set them to send syslog messages to syslogd and be able to tell if your printers are having trouble or running out of tonner before your called...might impress your boss.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
August 16th, 2005, 11:27 PM
#8
Member
Do you have any links to syslogd or superscan?
All our printers are networked through PCs.
-
August 17th, 2005, 03:34 AM
#9
here's one for syslod:
http://www.kiwisyslog.com/software_downloads.htm
but like you said you dont have any network printers but this will except syslog messages from many things that can sends them...fw's etc.
SuperScan can be had here:
http://www.foundstone.com/index.htm?.../superscan.htm
of course nmap is a much better scanner but this does a real fine job and has a much lighter footprint
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|