Port 138

[Guest]

In my log file, every few minutes there is a deny from my external IP address to my Internal IP address from UDP port 138

Specifically, the error reads..

"%PIX-3-106011: Deny inbound (No xlate) udp src inside:172.20.67.20/138 dst inside:172.20.6.5/138

The destination address that it is looking for is an old ip address, which is no longer existing. Maybe it's got the IP address from the Browser list on the WINS Server which has a record of the old ip

Anyone know why it is doing this, and what exactly the 138 port is used for? I know what it says it is used for, but I don't understand what it is used for

Thanks
Brijesh

 

[Steven L Umbach]

Port 138 udp is alo used for logon/authentication [see link below]. Is the computer
making the logon attempt an unknown computer from the internet?? --- Steve

http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp

In my log file, every few minutes there is a deny from my external IP address to my

Internal IP address from UDP port 138.

Specifically, the error reads...

"%PIX-3-106011: Deny inbound (No xlate) udp src inside:172.20.67.20/138 dst inside:172.20.6.5/138"

The destination address that it is looking for is an old ip address, which is no

longer existing. Maybe it's got the IP address from the Browser list on the WINS
Server which has a record of the old ip.

Anyone know why it is doing this, and what exactly the 138 port is used for? I

know what it says it is used for, but I don't understand what it is used for.

 

[Guest]

No It does'nt look like its making any logon attempt

Do you have any other solutions to this

----- Steven L Umbach wrote: ----

Port 138 udp is alo used for logon/authentication [see link below]. Is the compute
making the logon attempt an unknown computer from the internet?? --- Stev

http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.as

In my log file, every few minutes there is a deny from my external IP address to m

Internal IP address from UDP port 138longer existing. Maybe it's got the IP address from the Browser list on the WIN
Server which has a record of the old ip

 

[Steven L Umbach]

Without knowing any more on this end, check if it is comimg from an
untrusted computer and if it is put in a block all rule for that IP address
of the untrusted computer. If it is a known computer [dmz or such] have it
examined to see why it is doing such maybe using a Process Explorer. If you
have port forwarding enabled to a non existant computer, disable it and it
would not hurt to tombstone the old wins record on the wins server that owns
it. --- Steve

No It does'nt look like its making any logon attempt.

Do you have any other solutions to this.

----- Steven L Umbach wrote: -----

Port 138 udp is alo used for logon/authentication [see link below]. Is the computer
making the logon attempt an unknown computer from the internet?? --- Stevehttp://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp

In my log file, every few minutes there is a deny from my external

IP address to my
Internal IP address from UDP port 138. inside:172.20.67.20/138 dst
inside:172.20.6.5/138" address, which is no
longer existing. Maybe it's got the IP address from the Browser list on the WINS
Server which has a record of the old ip. used for? I
know what it says it is used for, but I don't understand what it is used for.

Brijesh

 

[Steven L Umbach]

You will have to use something like Fort or TCPView on the computer that is
trying to access the nonexistant IP address and see what port 138 udp is
mapping to. TCPView in particular is good at tracking down
process/service/application that is using a port if you right click a
process for further details. Ethereal may be another option to view at the
packet level. --- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Right now my main concern is that why is the host pc broadcasting to

another non-existent ip address by using UDP port 138. I need to know the
reason why it is doing this and then only I can come up with a solution.
Ultimately I am going to block UDP 138, but then I also need to know the
penalties for blocking this port. All this will be possible only when I come
to know the real reason behind this broadcast............Brijesh

----- Steven L Umbach wrote: -----

Without knowing any more on this end, check if it is comimg from an
untrusted computer and if it is put in a block all rule for that IP address
of the untrusted computer. If it is a known computer [dmz or such] have it
examined to see why it is doing such maybe using a Process Explorer. If you
have port forwarding enabled to a non existant computer, disable it and it
would not hurt to tombstone the old wins record on the wins server that owns
it. --- Steve

No It does'nt look like its making any logon attempt.

Do you have any other solutions to this.
----- Steven L Umbach wrote: -----
Port 138 udp is alo used for logon/authentication [see link

below].
Is the computer

making the logon attempt an unknown computer from the

internet?? ---
Stevehttp://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp

message
IP address to my
Internal IP address from UDP port 138. inside:172.20.67.20/138 dst
inside:172.20.6.5/138" address, which is no
longer existing. Maybe it's got the IP address from the

Browser list
on the WINS

Server which has a record of the old ip.

is
used for? I

know what it says it is used for, but I don't understand what

it is
used for.

 

[Guest]

It is quite clear from the log file that the host pc's UDP 138 port is trying to connect to a non-existant IP address on the same UDP 138 port. I can't check the host pc physically, cause it's located at another site in another country. All that I can access is the log file created on the server

Do you have any idea as to why is it trying to connect the non-existant IP address, I mean what service running on UDP 138 is causing it to broadcast........Brijes

----- Steven L Umbach wrote: ----

You will have to use something like Fort or TCPView on the computer that i
trying to access the nonexistant IP address and see what port 138 udp i
mapping to. TCPView in particular is good at tracking dow
process/service/application that is using a port if you right click
process for further details. Ethereal may be another option to view at th
packet level. --- Stev

http://www.sysinternals.com/ntw2k/source/tcpview.shtm

Right now my main concern is that why is the host pc broadcasting t

another non-existent ip address by using UDP port 138. I need to know th
reason why it is doing this and then only I can come up with a solution
Ultimately I am going to block UDP 138, but then I also need to know th
penalties for blocking this port. All this will be possible only when I com
to know the real reason behind this broadcast............Brijes

Without knowing any more on this end, check if it is comimg from a

untrusted computer and if it is put in a block all rule for that I addres
of the untrusted computer. If it is a known computer [dmz or such have i
examined to see why it is doing such maybe using a Process Explorer If yo
have port forwarding enabled to a non existant computer, disable i and i
would not hurt to tombstone the old wins record on the wins serve that own
it. --- Stev

"Brijesh" <[email protected]> wrote in messag

No It does'nt look like its making any logon attempt

Do you have any other solutions to this
----- Steven L Umbach wrote: ----
Port 138 udp is alo used for logon/authentication [see lin

below]
Is the compute

making the logon attempt an unknown computer from th

internet?? ---
Stev

messag
IP address to m
Internal IP address from UDP port 138 inside:172.20.67.20/138 ds
inside:172.20.6.5/138 address, which is n
longer existing. Maybe it's got the IP address from th

Browser lis
on the WIN

Server which has a record of the old ip

i
used for?

know what it says it is used for, but I don't understand wha

it i
used for

 

[Steven L Umbach]

Not without accessing the remote computer or possibly creating a test
computer with the IP address it wants to connect to, allowing it, and then
capturing the sequence with Ethereal to analyze the packet exchange. ---
Steve

It is quite clear from the log file that the host pc's UDP 138 port is

trying to connect to a non-existant IP address on the same UDP 138 port. I
can't check the host pc physically, cause it's located at another site in
another country. All that I can access is the log file created on the
server.

Do you have any idea as to why is it trying to connect the non-existant IP

address, I mean what service running on UDP 138 is causing it to
broadcast........Brijesh

----- Steven L Umbach wrote: -----

You will have to use something like Fort or TCPView on the computer that is
trying to access the nonexistant IP address and see what port 138 udp is
mapping to. TCPView in particular is good at tracking down
process/service/application that is using a port if you right click a
process for further details. Ethereal may be another option to view at the
packet level. --- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Right now my main concern is that why is the host pc broadcasting

to
another non-existent ip address by using UDP port 138. I need to know the
reason why it is doing this and then only I can come up with a solution.
Ultimately I am going to block UDP 138, but then I also need to know the
penalties for blocking this port. All this will be possible only when I come
to know the real reason behind this broadcast............Brijesh

from an
untrusted computer and if it is put in a block all rule for

that IP
address

of the untrusted computer. If it is a known computer [dmz or

such]
have it

examined to see why it is doing such maybe using a Process

Explorer.
If you

have port forwarding enabled to a non existant computer,

disable it
and it

would not hurt to tombstone the old wins record on the wins

server
that owns

it. --- Steve

"Brijesh" <[email protected]> wrote in

message

No It does'nt look like its making any logon attempt.
Do you have any other solutions to this.
----- Steven L Umbach wrote: -----
Port 138 udp is alo used for logon/authentication [see link

below].
Is the computer

making the logon attempt an unknown computer from the

internet?? ---
Steve

http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp

external
IP address to my Browser list
on the WINS is
used for? I it is
used for.