Re: Large Increase in Netbios Traffic

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Phillip Windell (_at_.)
Date: 07/20/04 

Date: Tue, 20 Jul 2004 11:15:35 -0500

"PC" <paulm DOT c at iol DOT ie> wrote in message
news:OE2PQFnbEHA.3792@TK2MSFTNGP09.phx.gbl...
> Could anybody explain why I might be experiencing a laarge increase of
> netbios traffic on our network recently.

I supect that they aren't increasing, but rather you just now noticed them.

> These packets seem to come from all machines. I noticed the problem first
> because I have netbios blocked at the firewall and they seem to be trying
to
> get outside (Sample from Firewall log - 2004/07/20 03:03:52.688 - UDP
packet
> dropped - Source:192.168.1.2, 137, LAN - Destination:192.168.1.255, 137,
> WAN - NetBios)

They aren't trying to get outside. If the Firewall's internal interface is
the same subnet as these clients then it is going to recieve these. They
are sent to the *.255 address which is a broadcast address of that subnet
which includes the Firewall. The queries are simply going *to* the
Firewall, not *though* it, because they do not cross over subnets.

> When I examine these packets using Ethereal they appear to be Name queries
> to one or other of the DC's or Host announcements from the individual
> system.

Yes. That is what they are. The DC maintains the "browse list" and uses the
broadcasts to build and maintain the list. This is all normal traffic. This
is why LANs are broken into subnets using LAN Routers to keep these
broadcast from adversly effecting LAN performance. The more Hosts on a
segment the worse it gets, so you break the LAN up into smaller segments
which traps these in each segment (remember they don't cross routers) so
that everything becomes less congested and more managable. 

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Relevant Pages

  • Re: WINS/DNS Migration
    ... we just didn't need to browse outside our own subnet, ... When you need NetBIOS resolution across routers you ... If you have more than one WINS Server you need to manually set them ... And this might mean moving all of the manual records you cannot identify. ...
    (microsoft.public.windows.server.dns)
  • Re: Connecting to DC using VPN changes IP address for LAN clients
    ... As soon as a remote user connects, your DC is multihomed (because RRAS ... SBS is the only exception. ... Netbios name by disabling Netbios over TCP/IP on it. ... found that the lan adapter is already the top one and the dial in one is ...
    (microsoft.public.windows.server.networking)
  • Re: How is network neighborhood populated?
    ... With regards to the browse list being empty on the local subnet however, ... - Is NetBIOS over TCP/IP disabled? ... no NetBT - no ... - Is the NetBIOS TCP/IP Helper Service running and set to automatic? ...
    (microsoft.public.win2000.active_directory)
  • Re: Dropping Netbios over TCP?
    ... Yea, Win2k/XP do not "need" Netbios, But they do need a method of name ... > I have a Win2k pc with two network cards. ... > is always 192.168.1.1 and the automatically assigned DNS server is always ... > The second network card is used to connect me to my office LAN. ...
    (microsoft.public.win2000.networking)
  • Re: Kerio Personal Firewall - how to use with a LAN?
    ... | David H. Lipman wrote: ... | a local LAN connecting a Win2K desktop and a Win7 ... Win2K has the Kerio and Win 7 has ... | more familiar with TCP/IP than with NetBios. ...
    (alt.computer.security)