Crazy flying netbios packets

Christopher R. Hertel crh at ubiqx.mn.org
Thu Oct 1 08:04:10 UTC 1998


I'm not on this list, but a friend pointed me at the thread and I wanted
to add my 2cents.  Hope you don't mind.

: There is a very popular WWW log analysis program by the name of 
: WebTrends.  It is run on a Win32 platform and when processing 
: GIGs of www access-logs, it will uni-cast for WINS resolution to 
: every foreign IP if finds for WINS name resolution, fail, 
: and then use DNS for resolution.  
:
: My fear (uneducated on the matter) is that it is not WebTrends but 
: Microsoft's gethostbyaddr() call which would mean that this type of 
: crazy 137/udp WINS resolution traffic is more commonly mis-used than
: we think.  

It's not actually WINS that you're dealing with here.  WINS is Microsoft's
name for their NetBIOS Name Server (RFC1001, 1002).  WebTrends cannot know
the address of the WINS server, if any, that the assumed Windows PC used
so it would have to send the query directly to the IP in the log.  Urq.

If the PC was on a dial-up or other dynamic IP address, then any reply
will most certainly be wrong.  Also, what you'd get back is a set of
NetBIOS names.  This is almost completely useless unless you share the
same WINS server or are within the same broadcast domain.

The suggestion that this totally nasty behavior is SOP for Microsoft's
gethostbyaddr() is disturbing.  In my experience, the folks in Redmond
don't clearly understand the difference between a NetBIOS name and a DNS
name.

Chris Hertel
Samba Team

-- 
"I'm thirty-seven.  I'm not old."            -----(-  Christopher R. Hertel
  -- Dennis the Peasant to King Arthur, 787 AD    -)-----  crh at ubiqx.mn.org



More information about the NANOG mailing list