-
September 21st, 2005, 05:12 PM
#1
Member
Curious Traffic?
I am trying to understand this traffic that I see reported on our FW log reports. A bunch of internal hosts on our network are trying to send packets out through the FW to 1.10.8.9. This is all port 139 Netbios traffic and its gets denied, but its just makes me wonder what is going on.
I tried doing some google searches on it, but I couldn't come up with anything in particular. Do you guys have ideas what this could be?
-
September 21st, 2005, 07:13 PM
#2
I suggest going to one of the offending machines and running "netstat -ao" on them and see what process is attempting to connect to these addresses. You can cross reference the PID from this in task manager by adding the PID to the column list. After you know what process it is, it might lead you somewhere.
-
September 22nd, 2005, 04:23 AM
#3
The ip 1.10.8.9 is weird actually this ip address space is reserved by the IANA
http://www.iana.org/assignments/ipv4-address-space
Seems like some kind of program or worm is running on your machines. Try to get information
regarding who is sending what for process specific traffic sniffing try out Ultra Sniffer
http://www.gjpsoft.com/ultranetsniffer/
Also you can use tcpview from sysinternals - http://www.sysinternals.com/Utilities/TcpView.html
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|