Why is win2000 broadcasting?

[Thomas Scheiderich]

I am trying to figure out what is happening on my system. I am looking to
see if I have a virus on my system and have zonealarm telling me that there
is some talking going on and I am trying to make sure it is all kosher.

I periodically have my Win2000 sending broadcasts and one of my machines
will answer and then send a bunch of packets back and forth.

What I am getting is something like this - Trilobyte is my W2k Pro machine
and my wifes Mac will answer. If the Mac is off, another machine will
answer.

Here is the approximate packet requests (translated by my Observer program):

Trilobyte -> broadcast NetBios Name Service (Q)uery request -- UDP
(137->137)
Mac->Trilobyte NetBios Name Service (Q)uery response -- UDP
(137->137)
Trilobyte-Broadcast Arp Request (192.168.122.7 -> 192.168.122.44) --
802.2LLC [information poll on] S=0,R=0
Mac-Broadcast Arp Reply (192.168.122.44 -> 192.168.122.7) --
802.2LLC [information poll on] S=0,R=0
Trilobyte-Broadcast SMB_COM_TRANSACTION_REQUEST NetBios Datagram
Service Direct Group Datagram

It then does a couple more NetBios packets (Query requests and Transaction
requests)

Then it stops and does it again a little while later.

Why would it be doing this?

Thanks,

Tom

 

[Steven L Umbach]

This can be entirely normal on a network, particularly if there are shared printers
and mapped drives. A virus or worm usually will usually flood your network with
thousands of packets per minute often trying to access random IP addresses on the
network for IP addresses that do not even exist with port 135 being a favorite attack
port. I would enable auditing of logon events and look in the security log for failed
logon attempts on the Windows computers. A lot of failed logons could indicate a
problem with a worm or a hack. Zone alarm should tell the application/process that is
trying for network access.

http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958 -- basic auditing.

I would also suggest that you scan your computer for virus and worms using virus
definitions current as of today from your vendors website. Parasites can also cause
unexplained network activity. Parasites are not usually considered destructive and
will not be detected by a virus scan program. AdAware is a great free program to
detect and remove parasites and spyware. Be sure to update it before scanning, which
you can do when you first open the program, and delete your cookies and temporary
internet files so that will not clutter up AdAware "found" screen with minor
ssues. --- Steve

http://www.lavasoftusa.com/software/adaware/

 

[Thomas Scheiderich]

This can be entirely normal on a network, particularly if there are shared printers
and mapped drives. A virus or worm usually will usually flood your network with
thousands of packets per minute often trying to access random IP addresses on the
network for IP addresses that do not even exist with port 135 being a favorite attack
port. I would enable auditing of logon events and look in the security log for failed
logon attempts on the Windows computers. A lot of failed logons could indicate a
problem with a worm or a hack. Zone alarm should tell the application/process that is
trying for network access.

http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958 -- basic auditing.

I would also suggest that you scan your computer for virus and worms using virus
definitions current as of today from your vendors website. Parasites can also cause
unexplained network activity. Parasites are not usually considered destructive and
will not be detected by a virus scan program. AdAware is a great free program to
detect and remove parasites and spyware. Be sure to update it before scanning, which
you can do when you first open the program, and delete your cookies and temporary
internet files so that will not clutter up AdAware "found" screen with minor
ssues. --- Steve

I have done all of this already and I agree that a virus will probably do
more that just a few access to some of my machines.

In my case, there is nothing else being done. I have zone alarm on one
machine and nothing is being done on any of the machines. But my machine
just starts to doing a broadcast, for some reason, and if the Mac is on the
network, it seems to answer and there are a few packets sent back and forth.
If the Mac is turned off, another machine will answer.

I am just trying to figure out why this is happening.

Thanks,

Tom.

http://www.lavasoftusa.com/software/adaware/

I am trying to figure out what is happening on my system. I am looking to
see if I have a virus on my system and have zonealarm telling me that there
is some talking going on and I am trying to make sure it is all kosher.

I periodically have my Win2000 sending broadcasts and one of my machines
will answer and then send a bunch of packets back and forth.

What I am getting is something like this - Trilobyte is my W2k Pro machine
and my wifes Mac will answer. If the Mac is off, another machine will
answer.

Here is the approximate packet requests (translated by my Observer program):

Trilobyte -> broadcast NetBios Name Service (Q)uery request -- UDP
(137->137)
Mac->Trilobyte NetBios Name Service (Q)uery response -- UDP
(137->137)
Trilobyte-Broadcast Arp Request (192.168.122.7 -> 192.168.122.44) --
802.2LLC [information poll on] S=0,R=0
Mac-Broadcast Arp Reply (192.168.122.44 -> 192.168.122.7) --
802.2LLC [information poll on] S=0,R=0
Trilobyte-Broadcast SMB_COM_TRANSACTION_REQUEST NetBios Datagram
Service Direct Group Datagram

It then does a couple more NetBios packets (Query requests and Transaction
requests)

Then it stops and does it again a little while later.

Why would it be doing this?

Thanks,

Tom

 

[Phillip Windell]

I am just trying to figure out why this is happening.

It's normal.

 

[Thomas Scheiderich]

It's normal.

I kind of assumed that.

I am just trying to understand what it is doing.
Why is it looking for someone to respond to it? It doesn't seem to matter
what machine answers. Once one does, it sends a couple of packets back and
forth and then just stops. A little while later, it does it again.

Thanks,

Tom

 

[Steven L Umbach]

Maybe the machine that is sending out the broadcasts is the browse master. Nbtstat -n
would show if it is. --- Steve

This can be entirely normal on a network, particularly if there are shared printers
and mapped drives. A virus or worm usually will usually flood your network with
thousands of packets per minute often trying to access random IP addresses on the
network for IP addresses that do not even exist with port 135 being a favorite attack
port. I would enable auditing of logon events and look in the security log for failed
logon attempts on the Windows computers. A lot of failed logons could indicate a
problem with a worm or a hack. Zone alarm should tell the application/process that is
trying for network access.

http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958 -- basic auditing.

I would also suggest that you scan your computer for virus and worms using virus
definitions current as of today from your vendors website. Parasites can also cause
unexplained network activity. Parasites are not usually considered destructive and
will not be detected by a virus scan program. AdAware is a great free program to
detect and remove parasites and spyware. Be sure to update it before scanning, which
you can do when you first open the program, and delete your cookies and temporary
internet files so that will not clutter up AdAware "found" screen with minor
ssues. --- Steve

I have done all of this already and I agree that a virus will probably do
more that just a few access to some of my machines.

In my case, there is nothing else being done. I have zone alarm on one
machine and nothing is being done on any of the machines. But my machine
just starts to doing a broadcast, for some reason, and if the Mac is on the
network, it seems to answer and there are a few packets sent back and forth.
If the Mac is turned off, another machine will answer.

I am just trying to figure out why this is happening.

Thanks,

Tom.

http://www.lavasoftusa.com/software/adaware/

I am trying to figure out what is happening on my system. I am looking to
see if I have a virus on my system and have zonealarm telling me that there
is some talking going on and I am trying to make sure it is all kosher.

I periodically have my Win2000 sending broadcasts and one of my machines
will answer and then send a bunch of packets back and forth.

What I am getting is something like this - Trilobyte is my W2k Pro machine
and my wifes Mac will answer. If the Mac is off, another machine will
answer.

Here is the approximate packet requests (translated by my Observer program):

Trilobyte -> broadcast NetBios Name Service (Q)uery request -- UDP
(137->137)
Mac->Trilobyte NetBios Name Service (Q)uery response -- UDP
(137->137)
Trilobyte-Broadcast Arp Request (192.168.122.7 -> 192.168.122.44) --
802.2LLC [information poll on] S=0,R=0
Mac-Broadcast Arp Reply (192.168.122.44 -> 192.168.122.7) --
802.2LLC [information poll on] S=0,R=0
Trilobyte-Broadcast SMB_COM_TRANSACTION_REQUEST NetBios Datagram
Service Direct Group Datagram

It then does a couple more NetBios packets (Query requests and Transaction
requests)

Then it stops and does it again a little while later.

Why would it be doing this?

Thanks,

Tom

 

[Thomas Scheiderich]

Maybe the machine that is sending out the broadcasts is the browse master. Nbtstat -n
would show if it is. --- Steve

Here is the response I get from that:

C:\>nbtstat -n

\Device\NetBT_Tcpip_{B9759448-89AB-4F0B-9E2F-2CA2E24E47CE}:
Node IpAddress: [0.0.0.0] Scope Id: []

No names in cache

Local Area Connection:
Node IpAddress: [192.168.122.7] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
TRILOBYTE <00> UNIQUE Registered
TRILOBYTE <20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
TRILOBYTE <03> UNIQUE Registered
TFS <03> UNIQUE Registered

C:\>

Thanks,

Tom.

This can be entirely normal on a network, particularly if there are

shared
printers

and mapped drives. A virus or worm usually will usually flood your

network
with

thousands of packets per minute often trying to access random IP

addresses
on the

network for IP addresses that do not even exist with port 135 being a favorite attack
port. I would enable auditing of logon events and look in the security

log
for failed

logon attempts on the Windows computers. A lot of failed logons could indicate a
problem with a worm or a hack. Zone alarm should tell the application/process that is
trying for network access.

http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958 --

basic
auditing.

I would also suggest that you scan your computer for virus and worms

using
virus

definitions current as of today from your vendors website. Parasites

can
also cause

unexplained network activity. Parasites are not usually considered destructive and
will not be detected by a virus scan program. AdAware is a great free program to
detect and remove parasites and spyware. Be sure to update it before scanning, which
you can do when you first open the program, and delete your cookies and temporary
internet files so that will not clutter up AdAware "found" screen with minor
ssues. --- Steve

I have done all of this already and I agree that a virus will probably do
more that just a few access to some of my machines.

In my case, there is nothing else being done. I have zone alarm on one
machine and nothing is being done on any of the machines. But my machine
just starts to doing a broadcast, for some reason, and if the Mac is on the
network, it seems to answer and there are a few packets sent back and forth.
If the Mac is turned off, another machine will answer.

I am just trying to figure out why this is happening.

Thanks,

Tom.

http://www.lavasoftusa.com/software/adaware/

I am trying to figure out what is happening on my system. I am

looking
to

see if I have a virus on my system and have zonealarm telling me that there
is some talking going on and I am trying to make sure it is all kosher.

I periodically have my Win2000 sending broadcasts and one of my machines
will answer and then send a bunch of packets back and forth.

What I am getting is something like this - Trilobyte is my W2k Pro machine
and my wifes Mac will answer. If the Mac is off, another machine will
answer.

Here is the approximate packet requests (translated by my Observer program):

Trilobyte -> broadcast NetBios Name Service (Q)uery request -- UDP
(137->137)
Mac->Trilobyte NetBios Name Service (Q)uery response -- UDP
(137->137)
Trilobyte-Broadcast Arp Request (192.168.122.7 -> 192.168.122.44) --
802.2LLC [information poll on] S=0,R=0
Mac-Broadcast Arp Reply (192.168.122.44 -> 192.168.122.7) --
802.2LLC [information poll on] S=0,R=0
Trilobyte-Broadcast SMB_COM_TRANSACTION_REQUEST NetBios Datagram
Service Direct Group Datagram

It then does a couple more NetBios packets (Query requests and Transaction
requests)

Then it stops and does it again a little while later.

Why would it be doing this?

Thanks,

Tom

 

[Steven L Umbach]

I believe it probably is browse list related as netbios datagram is port 138 used for
the browse service and both the source and destination port would be port 138 UDP.
Ethereal, unless that is what you used, may give more information as it will identify
browse related packet sequences. If you go into the body of the packet, you may also
get more specific info on what the request is for. The list below is what Windows
uses port 138 udp for. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

138 UDP NetBIOS Datagram Service Computer Browser
138 UDP NetBIOS Datagram Service Messenger
138 UDP NetBIOS Datagram Service Server
138 UDP NetBIOS Datagram Service Net Logon
138 UDP NetBIOS Datagram Service Distributed File System
138 UDP NetBIOS Datagram Service Systems Management Server 2.0
138 UDP NetBIOS Datagram Service License Logging Service

Maybe the machine that is sending out the broadcasts is the browse master. Nbtstat -n
would show if it is. --- Steve

Here is the response I get from that:

C:\>nbtstat -n

\Device\NetBT_Tcpip_{B9759448-89AB-4F0B-9E2F-2CA2E24E47CE}:
Node IpAddress: [0.0.0.0] Scope Id: []

No names in cache

Local Area Connection:
Node IpAddress: [192.168.122.7] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
TRILOBYTE <00> UNIQUE Registered
TRILOBYTE <20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
TRILOBYTE <03> UNIQUE Registered
TFS <03> UNIQUE Registered

C:\>

Thanks,

Tom.

This can be entirely normal on a network, particularly if there are shared
printers
and mapped drives. A virus or worm usually will usually flood your network
with
thousands of packets per minute often trying to access random IP addresses
on the
network for IP addresses that do not even exist with port 135 being a
favorite attack
port. I would enable auditing of logon events and look in the security log
for failed
logon attempts on the Windows computers. A lot of failed logons could
indicate a
problem with a worm or a hack. Zone alarm should tell the
application/process that is
trying for network access.

http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958 -- basic
auditing.

I would also suggest that you scan your computer for virus and worms using
virus
definitions current as of today from your vendors website. Parasites can
also cause
unexplained network activity. Parasites are not usually considered
destructive and
will not be detected by a virus scan program. AdAware is a great free
program to
detect and remove parasites and spyware. Be sure to update it before
scanning, which
you can do when you first open the program, and delete your cookies and
temporary
internet files so that will not clutter up AdAware "found" screen with
minor
ssues. --- Steve

I have done all of this already and I agree that a virus will probably do
more that just a few access to some of my machines.

In my case, there is nothing else being done. I have zone alarm on one
machine and nothing is being done on any of the machines. But my machine
just starts to doing a broadcast, for some reason, and if the Mac is on the
network, it seems to answer and there are a few packets sent back and forth.
If the Mac is turned off, another machine will answer.

I am just trying to figure out why this is happening.

Thanks,

Tom.

http://www.lavasoftusa.com/software/adaware/

I am trying to figure out what is happening on my system. I am looking
to
see if I have a virus on my system and have zonealarm telling me that
there
is some talking going on and I am trying to make sure it is all kosher.

I periodically have my Win2000 sending broadcasts and one of my machines
will answer and then send a bunch of packets back and forth.

What I am getting is something like this - Trilobyte is my W2k Pro
machine
and my wifes Mac will answer. If the Mac is off, another machine will
answer.

Here is the approximate packet requests (translated by my Observer
program):

Trilobyte -> broadcast NetBios Name Service (Q)uery request -- UDP
(137->137)
Mac->Trilobyte NetBios Name Service (Q)uery response -- UDP
(137->137)
Trilobyte-Broadcast Arp Request (192.168.122.7 ->
192.168.122.44) --
802.2LLC [information poll on] S=0,R=0
Mac-Broadcast Arp Reply (192.168.122.44 ->
192.168.122.7) --
802.2LLC [information poll on] S=0,R=0
Trilobyte-Broadcast SMB_COM_TRANSACTION_REQUEST NetBios Datagram
Service Direct Group Datagram

It then does a couple more NetBios packets (Query requests and
Transaction
requests)

Then it stops and does it again a little while later.

Why would it be doing this?

Thanks,

Tom