Strange broadcasts

Piszcz, Justin jpiszcz at servervault.com
Mon Apr 18 18:40:17 CEST 2005


Looks like netbios/windows sharing traffic to me.
Turn your other PC's off and/or disable NetBIOS / filesharing and see if
it persists.

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Lukasz
Hejnak
Sent: Monday, April 18, 2005 12:23 PM
To: netfilter at lists.netfilter.org
Subject: Strange broadcasts

Hi
I've started receiving some strange broadcast information on my firewall
it starts in the logs around ten days ago and looks like this:

INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=240
TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=234
TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=240 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=234 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=240
TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=234
TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

a few first occurences had SPT and DPT 137, and now it looks like the
above
happens about every 12 minutes, and I can't seem to see what's causing
this
the server is running only apache and exim
the eth1 is the internet, eth{0,2} are just two connections to two PCs
I've
got at home (had a spare nic and no cash for a hub ;)

anybody had a similar case?

-- 
with regards
Lukasz Hejnak
szift at wp.pl




More information about the netfilter mailing list