Wireshark · Wireshark-users: [Wireshark-users] Unexplained Netbios Traffic

Wireshark-users: [Wireshark-users] Unexplained Netbios Traffic

From: "Jon Ziminsky" <ziminskyj@xxxxxxxxxxxxxxxxxxx>

Date: Wed, 1 Oct 2008 11:01:53 -0600

Hello!

I have a server that is spewing UDP packets on port 137. Here is a sample of the capture:

214 4.762671 <hidden> 65.200.10.34 NBNS Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

217 1.771319 <hidden> 24.64.209.155 NBNS Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

The packets are being sent to random public IPs. They are sent in groups of 3. The packets are identical except the destination IP.

The box is running Server2000, and is a VM running on an Ubuntu host. Both the host and guest are fully patched. It is running eTrust ITM that is fully patched an up to date on sigs. All AV scans I have ran come back clean. I also ran the most recent MS Malicious Software removal tool, and it came back clean as well.

This is the only server in our domain that is exhibiting this behavior.

So far today it has tried to contact over 100 random hosts. I am concerned... Help please.

Jon

Prev by Date: [Wireshark-users] Appears the application on the Alf server (Flowcast in this case) is not processing correctly at the application level.
Next by Date: [Wireshark-users] summery of unique socket connections
Previous by thread: [Wireshark-users] Appears the application on the Alf server (Flowcast in this case) is not processing correctly at the application level.
Next by thread: [Wireshark-users] Unexplained Netbios Traffic
Index(es):
- Date
- Thread