Every once in a while I see a mysterious OUTBOUND NetBIOS connection to another machine not on my LAN. I would like to find out what program is initiating this connection. However, for NetBIOS traffic, OP only lists *NetBIOS as the application.
WM 2003 Wireless/Wired ActiveSync How-To::
for Microsoft Networks and NetBIOS over TCP/IP are enabled. Initiate the an 802.11b wireless or wired Ethernet link is a manual process
http://theillustratednetwork.mvps.org/WM2003/ActiveSync/WMiveSyncConfiguration.htmlHOME |
What is the reason that the program name cannot be displayed for NetBIOS connections?
Thanks!
I would like to find out what program is initiating this connection.The system itself (its drivers and services). That is why there is no name of the application.
Hi J,
The fact that a connection was made at all means that there is a rule allowing it (assuming you are not running in allow most mode).
Depending on how the rule was set up, you would see the app or not. For instance, let's say that you are running in rules Wizard mode and you start Windows media Player for the first time. A popup asks to set a rule. If you use the IE preset (which you could do if you wanted) you will never see WMP in the logs because it was allowed as IE ruleset.
Port Scanning with NMAP - Installation & Usage of NMAP::
TCP SYN scans are difficult to detect since a connection is never actually opened. at 22:04, 0.03s elapsed Initiating SYN Stealth Scan at 22:04 Scanning
http://www.petri.co.il/port-scanning-with-nmap.htmHOME |
Network Security Audit & Remote Network Monitoring Software::
NetBIOS resource sharing service as well as their name tables and NetBIOS connections. After the NetBios audit process is over you will get general
http://www.nsauditor.com/network_security/network_security_auditor.htmlHOME |
However, if you answered the popup to create ruleset as other, a rule will be created for WMP and traffic from then on would show as traffic from WMP.
Believe me. it is easy to quickly accept a preset instead of choosing "other" when typing quickly. I've done it many times. :D
Have a good one.
Chris
If it is the system that is initiating the NetBIOS traffic (ports 137-139) then why isn't the system listed as responsible for traffic on every other port?Guess, you do not understand how NetBios work...
There is a Netbios driver in your system.
Some service in your system initiates Netbious connection.
Netbios driver starts to load and sets connection.
Neither Outpost, nor any other program can find out what service/process initiated Netbios driver to load.
Now, how do you think Outpost should find out what application loaded Netbios driver?
Thank you Danil.
Since this is NetBIOS traffic we are talking about, the ports are NETBIOS_DGM and NETBIOS_NS (local and remote ports are the same).
I have not kept a log of the IP addresses but a trace route on one ended up in Japan.
I have a suspicion as to what program might be opening the connection. Still, I think that my question is a good one:
Why doesn't OP display the application for NetBIOS traffic?
Danil:
If it is the system that is initiating the NetBIOS traffic (ports 137-139) then why isn't the system listed as responsible for traffic on every other port?
I have utilities that monitor TCP traffic that do identify the program initiating the NetBIOS connection. I believe that my question needs to be answered by the author or designer of that section of code.
Regards,
John
Every once in a while I see a mysterious OUTBOUND NetBIOS connection to another machine not on my LAN. what exact information do you see in Outpost (local and remote ports, host etc)?
 Red Hat's Rough Recovery From CFO Exit
 Windows Live Finds a New, Pre-installed Home |
HOME
PRINT
Add to favorites