Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23395
Views
0
Helpful
2
Replies

PCs flooding broadcast addr. udp port 137/138

neonetsup
Level 1
Level 1

‎01-07-2005 08:49 AM - edited ‎03-09-2019 09:56 AM

Hi all,

Interesting problem: Our 6509 switch connects a LAN via routed port/interface. Netflow was turned on that particular interface and 82% of the total flows are "UDP-other" with source and destination ports of udp 137 and 138.

The "heavy hitters" of this group are about 6 PCs and the destination IP is the broadcast address of the network.

Virus? Misconfigured Windows machines?

Thanks for any ideas!

Labels:
0 Helpful
2 Replies 2

Kevin Dorrell
Level 10
Level 10

‎01-07-2005 09:00 AM

It's pretty normal to have quite a lot of directed broadcast traffic to UDP/135-139. But if there are some particularly hard hitters, they would be worth investigating. The favorite ports for worms are 137, 138, and 445. Look out for scans on UDP/445.

Kevin Dorrell

Luxembourg

0 Helpful

Patrick Iseli
Level 7
Level 7

‎01-07-2005 09:02 AM

This are netbios broadcast on hosts that have probably no WINS configured (win2K) od DNS with Activ Adirectory (MS AD = MAD).

Each time a hosts connects to a printer or share it does a broadcast to find it.

NetLogon UDP:138

Logon Sequence UDP:137,138 TCP:139

Pass Through Validation UDP:137,138 TCP:139

Printing UDP:137,138 TCP:139

Trusts UDP:137,138 TCP:139

WinNT Secure Channel UDP:137,138 TCP:139

Do a " ipconfig /all" on that host a see if you are hybrid mode = WINS

broadcast = Broadcast = thats bad

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents