This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm currently seeing a lot of traffic coming from two of my machines at the office to various IP addresses in the European block, I'm from Canada so this is unusual. The info in Wireshark reports: "Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>". Now normally I wouldn't panic about this however there is also a second relation to this that is the worrying part.

In the Windows 7 Resource Monitor these requests are coming from any users spawned process, firefox and process explorer are two common ones, plus the System Process, PID 4. Since the request is coming from both a user process AND the system process this is what I find things being worrying.

Can anyone explain this behaviour to me?

asked 15 Mar '11, 06:11

Stuart's gravatar image

Stuart
6113
accept rate: 0%


Those are packets used to ask a machine with a given IP address what it's NetBIOS name is. I think you're right to be suspicious; there's usually not much reason for a machine to ask for the NetBIOS name of random machines on the Internet, and, apparently, there's a worm that looks for machines to infect, and it sends out NetBIOS NBSTAT packets.

I'm not sure why they're being reported as coming from various random processes; if your machine is infected, it might be that a system DLL is infected, and programs using that DLL are calling infected routines that are sending out those packets. It might also be that the Resource Monitor is incorrectly reporting who's sending the packets.

permanent link

answered 15 Mar '11, 16:38

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

1

Not all NBSTAT messages are send by worms looking for hosts to infect. We found the frames send by domain controllers freshly installed in an isolated networks. Another legitimate source could be a service monitoring network printers.

If the transaction ID in the NBSTAT message shows up as x1337 you are indeed in trouble: That would be the infamous nmap at work.

(15 Mar '11, 17:12) packethunter
2

Yes, NetBIOS-over-TCP can go out over the Intertubes, because it runs atop IP. However, it's generally not sent out across the Atlantic Ocean; unless he's working for an international company with offices in Europe, and the machines in question have reasons to do, for example, SMB across the Atlantic to machines in Europe, those packets are a bit suspicious - I doubt any Windows domains set up in the office stretch across the ocean, or that machines in his office are monitoring printers in Europe, although I suppose it's not inconceivable.

(15 Mar '11, 17:16) Guy Harris ♦♦
1

If the destination addresses are not controlled by Stuart - even out in the Internet - he is in trouble.

I posted my answer under the assumption that source and destination belong to his network. Btw, I am aware of several Windows domains spanning the globe without proper definition of sites and a plethora of transatlantic NetBIOS.

(15 Mar '11, 17:25) packethunter

Guy has the right idea as these are packets headed from our work network in Canada to an unknown IP in Europe. The company I work for isn't a transatlantic company so there is no reason why my laptop should be contacting those IP addresses.

The other interesting thing that PacketHunter led me to look at was that the Transaction ID is running in increments of two. This is strange so at this stage I'm going to start looking for something either a) viral/wormy or b) rootkit like.

Thanks for the help.

(16 Mar '11, 06:01) Stuart

The NBSTAT message is a message using the NetBIOS name services (nbns) running on UDP port 137. Typical nbns messages are host announcements "here I am, node WORKSTATION" or queries "who has the host name SERVER?"

In the nbns messages bytes 1-15 specify a hostname and byte 16 indicates a function. This is often a role like workstation or server, while more esoteric functions can also be found.

The NBSTAT message is an NBNS equivalent of "Introduce yourself". We found it as broadcast and unicast messages. Any computer supporting NBNS would answer with specific information like "I am node type B". Some NetBIOS implementations also add statistics about number good or bad frames send and received.

For a better diagnosis it would help to know, if NetBIOS name resolution is active on the systems sending the NBSTAT message.


If you do not expect European NBNS frames showing up in Canada you might want to check your router configuration:

If a Cisco router is acting as DHCP relay server (specified by the command "ip helper") the router will forward not only DHCP packets to the ip helper address, but also UDP ports 137, 138 and a few others.

Unix/Linux systems usually send an ICMP messages as reaction to these UDP messages, which can result in quite a waste of bandwidth. To stop the router from forwarding broadcast NBNS-packets to the DHCP server use the command "no ip forward-protocol udp 137".

permanent link

answered 15 Mar '11, 17:08

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Actually, those are coming from his machine in Canada to machines in Europe, not from Europe to Canada; it may be that his machine is sending them because it's infected.

(15 Mar '11, 17:13) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×13
×4

question asked: 15 Mar '11, 06:11

question was seen: 54,000 times

last updated: 16 Mar '11, 06:01

p​o​w​e​r​e​d by O​S​Q​A