Increase in UDP port 137 traffic ??

Discussion in 'other firewalls' started by wieckj, Apr 18, 2005.

Thread Status:
Not open for further replies.
  1. wieckj

    wieckj Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    2
    My CheckPoint firewall is detecting an inordinate amount of NetBIOS traffic via UDP port137 from a server, internal to my LAN attempting to communicate with external IP addresses. Traffic patterns are consecutive nbname service transmits for an entire IP range, once the final octet is incremented to 255, a new initial starting IP is queried.

    I'm running TDImon from www.sysinternals.com to trace the transmits and all I can tell is that it intermittently switches from one process memory space to the next. Unfortunately I cannot pinpoint the file/registry entry tied to this activity.

    Virus Software is up to date and doesn't detect any threats.

    Thoughts anyoneo_O

    Thanks in advance.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    I'll move this to Other Firewalls so one of the experts can take a look.
     
  3. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Any more info my friend? OS? Installed programs? Any resources on the network [some printer software does some really stupid things]?
    Any misc. info you provide will be extra helpful to the experts...
    err.. I'm no expert. Sorry.
     
  4. wieckj

    wieckj Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    2
    The respective system is running Windows 2003 server, does not have SP1 applied. Hardware is a Compaq Proliant DL380 G2. The sole purpose of this server is for CheckPoint Firewall (www.checkpoint.com) logging. Software installed is as follows: CheckPointFirewall, Veritas Netbackup 5.1, McAfee VirusScanEnterprise 8.0i, default tools installed by Compaq.
     
  5. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Sounds like this may be comming from a machine that is connected behind the server 2003 box rather than the server 2003 box. Perhaps a machineon your network is infected or has some other kind of problem.
     
  6. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    It may be a router broadcast...
    but once again... 'm really not good with hardware.
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi wieckj

    Have you run a packet sniffer yet to determine the nature of the traffic?
    Do you have a little more detail on the set up. ICS? Which system is the firewall on?

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.