RE: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs

From: CJ (anonymous_at_discussions.microsoft.com)
Date: 03/16/04

• Next message: Dave: "Re: telnet connection limit"
• Previous message: Kristin Thomas [MSFT]: "RE: DHCP Scope"
• In reply to: Kristin Thomas [MSFT]: "RE: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs"
• Next in thread: Kristin Thomas [MSFT]: "RE: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs"
• Reply: Kristin Thomas [MSFT]: "RE: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 16 Mar 2004 15:06:07 -0800

Kristin,

Thanks for responding. In answer to your questions...no the server is not set up as a WIN server and no I have no replication partners of any kind set up. I have no idea where the IP addresses come from that the NBSTAT packets are being sent to. I've check some of them and many are not registered in any DNS. I also don't understand why my server is attempting to send these broadcasts to IP addresses out past our router / firewall and out to the Internet.

Do you have any more ideas on how I can track this down?

Here is a sampling of some of the broadcasts that are being sent. These are SNMP traps obtained from the router. You can see they go from the server @ 137 to an IP address @ 137. I also included a sniffer trace of a single packet so you can see what is being sent.

03-16-2004 14:54:37 System0.Info router @out server 137 63.141.2.174 137
03-16-2004 14:39:12 System0.Info router @out server 137 198.30.198.132 137
03-16-2004 14:28:05 System0.Info router @out server 137 66.191.240.147 137
03-16-2004 14:27:05 System0.Info router @out server 137 66.62.251.253 137
03-16-2004 14:26:59 System0.Info router @out server 137 217.164.253.148 137
03-16-2004 14:17:35 System0.Info router @out server 137 194.171.12.79 137
03-16-2004 14:14:20 System0.Info router @out server 137 66.205.221.97 137
03-16-2004 14:13:02 System0.Info router @out server 137 202.54.117.102 137
03-16-2004 13:54:40 System0.Info router @out server 137 217.171.118.25 137
03-16-2004 13:46:24 System0.Info router @out server 137 12.242.18.34 137
03-16-2004 13:42:46 System0.Info router @out server 137 192.114.44.4 137
03-16-2004 13:41:59 System0.Info router @out server 137 82.166.194.115 137
03-16-2004 13:06:19 System0.Info router @out server 137 205.3.98.38 137
03-16-2004 13:06:11 System0.Info router @out server 137 204.235.105.130 137
03-16-2004 13:01:46 System0.Info router @out server 137 217.67.176.50 137
03-16-2004 12:52:49 System0.Info router @out server 137 221.3.141.40 137
03-16-2004 12:46:52 System0.Info router @out server 137 210.199.213.150 137
03-16-2004 12:41:59 System0.Info router @out server 137 219.237.120.245 137
03-16-2004 12:32:02 System0.Info router @out server 137 62.251.171.110 137
03-16-2004 11:57:00 System0.Info router @out server 137 82.177.70.234 137
03-16-2004 11:26:59 System0.Info router @out server 137 218.191.92.168 137
03-16-2004 11:21:01 System0.Info router @out server 137 63.219.128.82 137
03-16-2004 11:18:59 System0.Info router @out server 137 66.205.224.17 137
03-16-2004 11:08:37 System0.Info router @out server 137 216.245.140.23 137
03-16-2004 10:57:00 System0.Info router @out server 137 205.27.49.209 137
03-16-2004 10:56:54 System0.Info router @out server 137 205.40.234.218 137
03-16-2004 10:42:00 System0.Info router @out server 137 81.193.8.99 137
03-16-2004 10:28:10 System0.Info router @out server 137 80.239.57.84 137
03-16-2004 10:20:29 System0.Info router @out server 137 66.77.33.26 137

Frame 42 (92 bytes on wire, 92 bytes captured)
    Arrival Time: Mar 15, 2004 14:45:02.379705000
    Time delta from previous packet: 0.086549000 seconds
    Time since reference or first frame: 45.839609000 seconds
    Frame Number: 42
    Packet Length: 92 bytes
    Capture Length: 92 bytes
Ethernet II, Src: 00:10:a4:eb:a4:21, Dst: 00:20:78:c7:64:c6
    Destination: 00:20:78:c7:64:c6 (10.254.215.1)
    Source: 00:10:a4:eb:a4:21 (10.254.215.51)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.254.215.51 (10.254.215.51), Dst Addr: 217.179.171.230 (217.179.171.230)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 78
    Identification: 0xb9b8 (47544)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x191b (correct)
    Source: 10.254.215.51 (10.254.215.51)
    Destination: 217.179.171.230 (217.179.171.230)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
    Source port: netbios-ns (137)
    Destination port: netbios-ns (137)
    Length: 58
    Checksum: 0xbae3 (correct)
NetBIOS Name Service
    Transaction ID: 0x9d6f
    Flags: 0x0010 (Name query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Name query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... ...1 .... = Broadcast: Broadcast packet
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>: type NBSTAT, class inet
            Name: *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> (Workstation/Redirector)
            Type: NBSTAT
            Class: inet

0000 00 20 78 c7 64 c6 00 10 a4 eb a4 21 08 00 45 00 . x.d......!..E.
0010 00 4e b9 b8 00 00 80 11 19 1b 0a fe d7 33 d9 b3 .N...........3..
0020 ab e6 00 89 00 89 00 3a ba e3 9d 6f 00 10 00 01 .......:...o....
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..
 
Any help you can provide would be appreciated.

Thanks,

Cj

     ----- Kristin Thomas [MSFT] wrote: -----
     
     CJ,
     
     You are right about broadcast packets, something destined for a specific IP
     address is not a broadcast packet. Broadcast is only sent to a machine's
     broadcast address.
     
     Name Service datagrams are used primarily to register and resolve names on
     the network, and they are sent and received by NetBT and WINS only over
     TCP/UDP port 137.
     
     So is the machine in question a WINS server? Does it have replication
     partners set up with those IP addresses you are seeing?
     
     Best Regards,
     
     Kristin Thomas, MCSE, MCP
     Microsoft Enterprise Network Support
     
     Get Secure! - www.microsoft.com/security
     
     =====================================================
     When responding to posts, please "Reply to Group" via
     your newsreader so that others may learn and benefit
     from your issue.
     =====================================================
     This posting is provided "AS IS" with no warranties, and confers no rights.
     
     --------------------
     | Thread-Topic: Win2K Srv sending NBSTAT name query broadcasts to Internet
     IPs
     | thread-index: AcQLcq6yPnGoflIlRF2S4/aiJ3diDw==
     | X-Tomcat-NG: microsoft.public.win2000.networking
     | From: "=?Utf-8?B?Q0o=?=" <anonymous@discussions.microsoft.com>
     | Subject: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs
     | Date: Tue, 16 Mar 2004 08:21:05 -0800
     
     |
     | I have noticed that my Win2K server is sending NBSTAT broadcast packets
     to random IP addresses outside of my local network. The broadcasts always
     originate from the server on port 137 and are always destined for some IP
     address on port 137. The destination IP addresses always seem to be
     different and many times are nonexistant.
     
     I say random because there is no time pattern to the broadcasts. Sometimes
     there are sent every couple of minutes and sometimes the period between
     broadcasts are much longer.
     
     Can anyone explain why this might be happening. I can understand this if
     the broadcasts were to machines on my local network but not out onto the
     Internet. I also don't understand the concept of a broadcast being sent to
     a specific IP address. I thought broadcasts were sent out to all systems on
     the local network.
     
     Please advise.
     
     CJ
       
     |
     
     

• Next message: Dave: "Re: telnet connection limit"
• Previous message: Kristin Thomas [MSFT]: "RE: DHCP Scope"
• In reply to: Kristin Thomas [MSFT]: "RE: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs"
• Next in thread: Kristin Thomas [MSFT]: "RE: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs"
• Reply: Kristin Thomas [MSFT]: "RE: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint