Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: Help w/ Port 137 Traffic

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Mon, 14 Oct 2002 20:20:08 +0200


Bill Royds wrote:


The netbios Name query/response packets are in the same format as DNS 
query/response packets, just on port 137 instead of 53


*ding*

They're not even remotely related.

Do a dump of a netbios name query and you'll see a string like
"IJDFYEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
where each letter is one nibble (4 bits), plus 'A' (which means
that each "AA" pair is in fact a representation of NUL.)

Do a dump of a DNS query and you'll see a string like
"www.bustyvixens.com" umm .. ^H^H^H^H^H^H^H^H^H^H^H^Hmicrosoft.com"

(Of course, the protocol structs differs entirely too; this is
just the most obvious way of showing the difference.)

You're probably getting fooled by the fact that some windows 
machines (win9x? i forget) likes originating DNS queries 
(destination port 53) from port 137.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: