Can't resolve UDP port 137 queries

I'm hoping someone can help here. We transitioned from one network to a new one last year when we were sold off. We built the network from scratch. However, since I've been monitoring network traffic I'm seeing an inordinate amount of UDP traffic over port 137 coming from a variety of machines going to our old network IP scheme.

Here's what I've checked:
DHCP, AD and DNS servers: no DNS entries of old IP scheme, no NetBIOS entries of old network.
Old printers: all printers and printer ports mapped to old IP scheme have been removed
Flushed DNS cache
Ran WireShark to confirm NBNS queries
Looked for HOST files/LMHOSTS files - none show any entries

I'm out of ideas what to try or look for. I'm seeing this traffic being generated from a variety of machines on our network, so I'm pretty sure these queries are all coming from the same cause. If I can nail it down on one machine, I'm sure it will fix the problem on all.

PS: I've also done a search on EE and none of the answers to questions similar to mine helped. :)
LVL 1
MarketingDriveAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cycle303Commented:
137 is used for netbios.  This could be because netbios over IP is enabled on these machines.  If you have DNS running correctly, you can disable netbios over ip by going into the tcp/ip properties-->advanced-->WINS tab and checking disable NETBIOS over IP on the network adapters of each machine.
0
MarketingDriveAuthor Commented:
Won't that prevent that server from being able to connect via machine name instead of IP?
0
cycle303Commented:
Not if DNS is running.
0
dkarpekinCommented:
137/138/139/445 are used by XP to support "file and printer sharing", which is allow OS share drive/printers , on LAN.
So, by trying disable "network share" on XP, you most likely will stop receiving UDP 137.
Also UDP 137 can be used some SNMP monitoring software, so might double check, if u have any SNMP soft running, on any PC.
Other  way should be look closer on "sender" machines, what services are running, with witch PID, and see base on that , what ports they using .
It will give you pretty good idea, who is "generator" of  interesting traffic. To determine that :
Run-CMD:
netstat ano > netstat.txt
tasklist > tasklist.txt
notepad tasklist.txt
notepad netstat.txt

In "netstat.txt" you'll see ports used by particular services.

 Once you determine , who is generator, than will be no problem to disable that service, if you need to.
Of couse, you should do this, if you dont need "file and printer sharing" on LAN.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dkarpekinCommented:
P.S.
by default - "messenger" service is using UDP 137, u can disable this from "control panel","administrative tools", "services" - look for "Messenger"
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.