Solved

Excessive Outbound Traffic on UDP Port 137

Posted on 2008-06-23
3
3,283 Views
Last Modified: 2013-12-04
I've been noticing in my firewall logs an excessive amount of outbound traffic on udp port 137 from a single workstation. This port is blocked in my firewall, so it's not getting through, but I wanted to know if anyone could help me find the source of this traffic.

I have run CA AntiVirus and Anti Spyware as well as Spybot. The AV scan was clean and the spyware/adware scan only came up with a handful of cookies that have been removed. Netstat and Nbtstat both seem clean as well.

Thanks for the help.
0
Comment
Question by:Luis_Romero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Accepted Solution

by:
alikaz3 earned 500 total points
ID: 21850393
udp port 137 is used for NetBIOS. You could try changing the NetBIOS setting on that workstation and see what you get.
>>>>>>>>>>>>
NetBIOS name service (UDP)

firewalls: Firewall administrators will frequently see large numbers of incoming packets to port 137. This is due to the behavior of Windows servers that use NetBIOS (as well as DNS) to resolve IP addresses to names using the "gethostbyaddr()" function. As users behind the firewalls surf Windows-based web sites, those servers will frequently respond with NetBIOS lookups.
>>>>>>>>>>>>
0
 
LVL 32

Expert Comment

by:r-k
ID: 21851063
Please post a HJT log from the suspect workstation just in case:

Download HijackThis from http://www.hijackthis.de/
(use the "direct download" link in the upper-right corner)
Unzip to any folder on your hard drive (other than the desktop)
Run the program by double-clicking on the HijackThis.exe file.
Click on "Do a System Scan.."
Copy-and-paste the resulting log here.
Optionally, you can post back to that same web page, and click "Analyze"
0
 

Author Closing Comment

by:Luis_Romero
ID: 31470272
Thanks. Your response actually reminded me that I've had this problem before but added a new NIC that used the default NetBios settings. Once I turned off NetBios over TCP/IP the problem was resolved.

Thanks for your help!
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question