Port 138 137 Broadcast to subnet | Unix syslog port 3514 Snare Server

Y

yasar1

Dear all,
I have a few windows 2000 machines on which I set the Audit Policies
and and installed Snare client from InterSect Alliance to capture the
logs. These logs are then sent to a specific port on a Unix server
(port & server specified in snare)that acts as a centralized snare
server capturing the logs.

All works fine on most of the machines, however 1 or 2 of the machines
on which I have NOT yet installed the snare client seem to be sending
packets from port 138 or 137 to port 3514! I understand these to be UDP
Netbios ports that broadcast/listen which is fine BUT
I can´t seem to figure out why they are sending info from port 137/8
to port 3514 on the Unix machine? basically result is that syslog just
shows garbage in the logs for the captured packets from these machines.

Any help or advise would be greatly appreciated.

Regards
Y
 
S

Steven L Umbach

I don't know offhand. What would help is to use something like TCPView and
or Process Explorer form SysInternals to see what process is associated with
that port use. Port Reporter may also be worth a try though it is somewhat
limited in what the logs show in Windows 2000. If the process is svchost
you can use tlist -s to see the services associated with process ID. ---
Steve

http://www.sysinternals.com/Utilities/TcpView.html --- TCPView
http://support.microsoft.com/default.aspx?scid=kb;en-us;250320 --- tlist
details

Dear all,
I have a few windows 2000 machines on which I set the Audit Policies
and and installed Snare client from InterSect Alliance to capture the
logs. These logs are then sent to a specific port on a Unix server
(port & server specified in snare)that acts as a centralized snare
server capturing the logs.

All works fine on most of the machines, however 1 or 2 of the machines
on which I have NOT yet installed the snare client seem to be sending
packets from port 138 or 137 to port 3514! I understand these to be UDP
Netbios ports that broadcast/listen which is fine BUT
I can´t seem to figure out why they are sending info from port 137/8
to port 3514 on the Unix machine? basically result is that syslog just
shows garbage in the logs for the captured packets from these machines.

Any help or advise would be greatly appreciated.

Regards
Y
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Port 138 6
Windows XP AVG 8.0 Firewall UDP Port 137 6
Windows XP port 445 listening on wrong subnet 3
Capturing Syslog messages on port 514 using VB.NET 1
Capturing Syslog messages on port 514 using CSHARP/VB.NET 1
Identifying a task connected to a port 2
sending events to UNIX syslog server 2
UDP 137 from domain contoller to Internet? 2

Top