Strange 192.168. UDP/138 Traffic

Richard Welty rwelty at averillpark.net
Thu Jan 29 18:51:39 UTC 2004


On Thu, 29 Jan 2004 12:24:15 -0600 Darrell Kristof <darrell.kristof at wholefoods.com> wrote:


> Hi everyone:

> I'm having some strange traffic show up on my PIX.  Looking at the "show
> conn" I have many many machines attempting to make outbound UDP/138
> connections to 192.168.x.x addresses.  We don't have any 192.168.x.x
> addresses inside the company.  This is blocked at our Internet router, so
> it's not going out, but still would like to know what this is.

138 is NETBIOS (an MS protocol). look for windows clients that have
somehow gotten it in their head that they need to make a NETBIOS
connection to the cited RFC1918 space.

could this be a side effect of one of the current generation of viruses?

richard
-- 
Richard Welty                                         rwelty at averillpark.net
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security




More information about the NANOG mailing list