Re: UDP port 137 Question

[DAVE NORDLUND <nordlund () ccstaff cc ukans edu>]

> Date:          Tue, 06 Jan 1998 12:54:52 -0500 (EST)
> From:          "C. Jon Larsen" <jlarsen () ford ajtech com>
> Subject:       UDP port 137 Question
> To:            nanog () merit edu

> Is there any *valid* reason to see UDP traffic directed at a unix box's
> port 137 coming from IP sources across the internet ? The unix servers in
> question are most definitely *not* running samba, and there is absolutely no
> NT anywhere on this customer's network (that is seeing the incoming UDP
> traffic directed at an IP destination address on port 137). (A couple of 95
> boxes scattered across an Ethernet comprise the Micro$oft part of the
> network). None of the 95 boxen are running any file or print serving (sharing)
> resources.

Are you shure these don't have ip broadcast addresses on them?  I've seen 
MS UDP packets with 255.255.255.255 as the destination address if the
WIN box isn't set up reasonably.
> I can't think of any valid reason to see this traffic, personally. Anybody out
> there that can present a scenario where I would expect to see these UDP
> packets coming back in ?
>
> netbios-ns      137/tcp         nbns
> netbios-ns      137/udp         nbns
> netbios-dgm     138/tcp         nbdgm
> netbios-dgm     138/udp         nbdgm
> netbios-ssn     139/tcp         nbssn
>
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> C. Jon Larsen             Email: jlarsen () ford ajtech com
> Systems Engineer          Voice: +1.804.353.2800 x118
> A&J Technologies          http://www.ajtech.com
>
> PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63  B3 16 1A 1B D2 61 EE 97
> PGP Public key available at: http://ford.ajtech.com/CJL.txt
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Dave Nordlund               d-nordlund () ukans edu
University of Kansas        913/864-0450
Computing Services          FAX 913/864-0485
Lawrence, KS  66045         KANREN