Continuous Traffic

Discussion in 'LnS English Forum' started by idbit, Feb 25, 2010.

Thread Status:
Not open for further replies.
  1. idbit

    idbit Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    43
    Location:
    Florida
    Hi, I'm new to LNS. I'm looking at my log. There's some continuous outgoing traffic that I'm wondering about. It occurs about once per second. Here's the two line entries I'm seeing over and over again:

    02-25-10,08:14:36 U-1 'Block : All other packet' 192.168.2.255 UDP Ports Dest:netbios-ns=137 Src:netbios-ns=137

    02-25-10,08:14:36 U-0 'Block : All other packet' 192.168.2.255 UDP Ports Dest:netbios-dgm=138 Src:netbios-dgm=138

    I'm using a Belkin router. Also using Phantom's ruleset. Should I be concerned about this traffic? Is there a way that I can stop this traffic?

    Thanks!
    IB
     
  2. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Hello idbit,

    1.) You are behind a router, correct?
    2.) These logged packets are inbound traffic, correct?

    If you answer 2 times "yes", then everything is fine.
    The traffic is coming most likely from another computer within your local network. And since it is inbound, you have nothing to worry about.

    In general, all inbound blocked packets are nothing to worry about. It just tells you that your LNS is perfectly doing its job!

    Thomas :)
     
  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    To avoid these alerts, you can create some specific rules to block the packets silently. You can do that with a right click on the alert in the log, and then select the Stop Sign for the automatically added rule (by default when you create a rule that way, the packets are allowed).

    Regards,

    Frederic.
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    These are NetBIOS broadcasts. If you're interested, you can read up here. A concise and not overlong read.

    It's local traffic over non-routable addresses. So it's a non-concern if you are on a trusted or no-LAN.

    1.) Belkin router's mentioned in the OP.
    2.) No. These are outbound packets, as the OP correctly assumed.

    If idbit's using Phantom's ruleset, there are already rules for NetBIOS broadcasts in it, they are just inactive -

    lnsi270210.png

    idbit, you just need to set them correctly, so they will be silently blocked, as Frederic suggested. Like this -

    lnsa270210.png

    If you need to stop the traffic (as opposed to silently block it), then you should disable NetBIOS. Look, for example, here (it's the same principle for W7, if you're on it). Of course, you should do this only if you have no LAN.
     
  5. idbit

    idbit Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    43
    Location:
    Florida
    Thanks for all the great advice! I do appreciate it. According to the Wiki information that Seer linked, port 137 is used by the Name Service - and port 138 is used by the Datagram Distribution Service. Also: "In order to start sessions or distribute datagrams, an application must register its NetBIOS name using the name service."

    So if I'm reading that right, it sounds like a program or service is first using the Name Service to register its NetBIOS name - Src:netbios-ns=137. And then that same program or service is using the Datagram Distribution Service to transmit a datagram - Src:netbios-dgm=138.

    Or is the NetBIOS service itself sending datagrams? Either way, before I block the datagrams, wouldn't I want to know the contents of them? Is there a way to "open" them? And if a program is sending datagrams, wouldn't I want to know what program is sending them?

    Or are these just empty "broadcasts"? Guess I'm not clear on exactly what a broadcast is. 1) Does it contain data? And 2) why is it sent?

    As you can tell, I'm a network novice. These concepts are new to me. Just trying to grasp the basics right now. I love the software though. It's so simple and easy on my aging Pentium 4 system - yet still powerful and configurable. I think I have five days left on my trial. Time to pull the trigger already eh?

    Thanks again.
    IB
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    In a nutshell yes, you are correct.

    The process sending them is svchost and the contents of UDP packet is only the WINS name of your PC. A packet sniffer can tell you that info.

    1) Yes, UDP packet has a payload (data).
    2) Network broadcasting works on the same principle as TV broadcasting - the pupose is to be able to send the same data from one node to all other nodes on a network. In this case, it is sent only to announce the name of your PC to all the nodes on a LAN, as in for example "hello, I'm here, my name is Jim". UDP protocol is used for this as it is much faster than the TCP - it does not need an active connection to be established between the nodes for the payload to be delivered.

    You're welcome.
     
  7. idbit

    idbit Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    43
    Location:
    Florida
    Thanks, now it all makes sense. :cool: You mentioned UDP and TCP. I was just reading about that this morning. For any other novices reading this, this article here does a great job of explaining datagrams, UDP, TCP, ports, name servers, etc in layman's terms: Layman’s understanding of Networking & UDP/TCP/IP. I like the post office/envelope analogy.

    After further reading, it sounded like NetBIOS over TCP wasn't something I needed. So I went ahead and disabled it per the linked instructions here. So far, I haven't run into any problems. It's a standard home network with router and cable modem. Now my LNS log is empty, which is a good thing I think.

    For the record, in my version of Phantom's ruleset, the NetBIOS rule was already enabled by default with the stop sign. But this NetBIOS traffic was blocked by the "Block : All other packets" rule instead. Here's a screenshot of the NetBIOS rule:

    lns-01.jpg
     
Thread Status:
Not open for further replies.