Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] Unexplained Netbios Traffic

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "John Martin" <John.Martin@xxxxxxxxx>
Date: Wed, 1 Oct 2008 15:44:09 -0400

Try running tcpview (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx).  It’s a better version of netstat that will show attempted as well as established TCP/UDP sessions.  I’ve used it myself recently to find a process responsible for mystery traffic. 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jon Ziminsky
Sent: Wednesday, October 01, 2008 3:13 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Unexplained Netbios Traffic

 

I understand how NetBIOS works... This server has tried to contact 350 hosts since this morning... All completely random.

The two I posted were examples of the 1000+ packets it has generated thus far today.

I have used Arin to lookup about 20 of the IPs and they are all over the board... From China to Amsterdam to the US...

The server in question is behind the corporate firewall, and has no outward facing ports. The firewall is blocking these packets before they leave the network.

Attached is a snippet of the capture files, as i tried to post the entire file and was told by the bot that my message was too big.

  • References:
    • [Wireshark-users] Unexplained Netbios Traffic
      • From: Jon Ziminsky
    • Re: [Wireshark-users] Unexplained Netbios Traffic
      • From: Guy Harris
    • Re: [Wireshark-users] Unexplained Netbios Traffic
      • From: Jon Ziminsky
  • Prev by Date: Re: [Wireshark-users] Unexplained Netbios Traffic
  • Next by Date: Re: [Wireshark-users] Unexplained Netbios Traffic
  • Previous by thread: Re: [Wireshark-users] Unexplained Netbios Traffic
  • Next by thread: Re: [Wireshark-users] Unexplained Netbios Traffic
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation