I'm currently seeing a lot of traffic coming from two of my machines at the office to various IP addresses in the European block, I'm from Canada so this is unusual. The info in Wireshark reports: "Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>". Now normally I wouldn't panic about this however there is also a second relation to this that is the worrying part.
In the Windows 7 Resource Monitor these requests are coming from any users spawned process, firefox and process explorer are two common ones, plus the System Process, PID 4. Since the request is coming from both a user process AND the system process this is what I find things being worrying.
Can anyone explain this behaviour to me?
asked 15 Mar '11, 06:11
Those are packets used to ask a machine with a given IP address what it's NetBIOS name is. I think you're right to be suspicious; there's usually not much reason for a machine to ask for the NetBIOS name of random machines on the Internet, and, apparently, there's a worm that looks for machines to infect, and it sends out NetBIOS NBSTAT packets.
I'm not sure why they're being reported as coming from various random processes; if your machine is infected, it might be that a system DLL is infected, and programs using that DLL are calling infected routines that are sending out those packets. It might also be that the Resource Monitor is incorrectly reporting who's sending the packets.
answered 15 Mar '11, 16:38
Guy Harris ♦♦
The NBSTAT message is a message using the NetBIOS name services (nbns) running on UDP port 137. Typical nbns messages are host announcements "here I am, node WORKSTATION" or queries "who has the host name SERVER?"
In the nbns messages bytes 1-15 specify a hostname and byte 16 indicates a function. This is often a role like workstation or server, while more esoteric functions can also be found.
The NBSTAT message is an NBNS equivalent of "Introduce yourself". We found it as broadcast and unicast messages. Any computer supporting NBNS would answer with specific information like "I am node type B". Some NetBIOS implementations also add statistics about number good or bad frames send and received.
For a better diagnosis it would help to know, if NetBIOS name resolution is active on the systems sending the NBSTAT message.
If you do not expect European NBNS frames showing up in Canada you might want to check your router configuration:
If a Cisco router is acting as DHCP relay server (specified by the command "ip helper") the router will forward not only DHCP packets to the ip helper address, but also UDP ports 137, 138 and a few others.
Unix/Linux systems usually send an ICMP messages as reaction to these UDP messages, which can result in quite a waste of bandwidth. To stop the router from forwarding broadcast NBNS-packets to the DHCP server use the command "no ip forward-protocol udp 137".
answered 15 Mar '11, 17:08