Fwd: Re: finding network activity

To: debian-user@lists.debian.org
Subject: Fwd: Re: finding network activity
From: John Schmidt <jas@netbrick.com>
Date: Mon, 16 Dec 2002 08:25:42 -0700
Message-id: <[🔎] 200212160825.42511.jas@netbrick.com>

Hi,

Replying to my own post, I turned on tcpdump -vvv -i any and saw that a
windows95 box that is on my small internal network is the culprit.  It
is generating stuff like this:

19:39:24.082631 lab.netbios-dgm > 192.168.1.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x668 IP=192 (0xc0).168 (0xa8).1

(0x1).3 (0x3) Port=138 (0x8a) Length=194 (0xc2) Res2=0x0
SourceName=DEFAULT         NameType=0x00 (Workstation)
DestName=
WARNING: Short packet. Try increasing the snap length

 (ttl 128, id 12553, len 236)
19:39:24.082703 lab.netbios-ns > 192.168.1.255.netbios-ns:  [udp sum
 ok]

>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

TrnID=0x66C
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WORKGROUP       NameType=0x1B (Domain Controller)
QuestionType=0x20
QuestionClass=0x1

 (ttl 128, id 12809, len 78)
19:39:24.834084 lab.netbios-ns > 192.168.1.255.netbios-ns:  [udp sum
 ok]

>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

TrnID=0x66C
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WORKGROUP       NameType=0x1B (Domain Controller)
QuestionType=0x20
QuestionClass=0x1

 (ttl 128, id 13065, len 78)
19:39:25.585801 lab.netbios-ns > 192.168.1.255.netbios-ns:  [udp sum
 ok]

>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

TrnID=0x66C
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WORKGROUP       NameType=0x1B (Domain Controller)
QuestionType=0x20
QuestionClass=0x1

 (ttl 128, id 13321, len 78)
19:39:26.341866 arp who-has golden tell lab
19:39:26.342067 arp reply golden is-at 0:5:9a:20:75:65
(0:40:f4:44:ed:2b)
19:39:26.342313 lab.netbios-ns > 209.210.176.9.domain:  [udp sum ok]
1644+ A? WORKGROUP. . (34) (ttl 128, id 13577, len 62)
19:39:26.342585 67.2.152.75.netbios-ns > 209.210.176.9.domain:  [udp
 sum ok] 1644+ A? WORKGROUP. . (34) (ttl 127, id 13577, len 62)
19:39:26.343701 67.2.152.75.33184 > 209.210.176.8.domain:  [udp sum ok]
14911+ PTR? 75.152.2.67.in-addr.arpa. [|domain] (DF) (ttl 64, id 36174,
len 70)
19:39:27.320572 67.2.152.75.33185 > 209.210.176.8.domain:  [udp sum ok]
51493+ PTR? 75.152.2.67.in-addr.arpa. [|domain] (DF) (ttl 64, id 36272,
len 70)

The timestamp for when this query is starting up coincides to when my
modem starts to dial.  Is there any way to block this query.  I am
running ipmasq with a 2.4.19 kernel which uses iptables.  I just have
the default setup.  I am ignorant about the rules that are used, but I
guess this is a good time to learn about them and how to add one.

Thanks,

John Schmidt

On Sunday 15 December 2002 12:45 pm, John Schmidt wrote:
> Hi,
>
> I have demand dialing turned on and would like to determine why ppp
> is starting up at 15 minute intervals.  I am looking at syslog and
> not seeing anything that would initiate outside traffic.  I also have
> tcpdump -i any turned on and not seeing anything either.  I removed
> ntpdate and exim, since earlier I was seeing exim in the syslog.
> However, with exim and ntpdate gone, something is still causing pppd
> to start up.  In addition, my web browser was on my home directory.
> Just for testing sake, I don't have my web browser running now.
>
> Are there any other network monitoring tools that may tell me what is
> initiating tcp connections and forcing pppd to start up.
>
> Thanks,
>
> John Schmidt

-------------------------------------------------------

Reply to:

Prev by Date: unsubscribe
Next by Date: Solved: libc6
Previous by thread: Re: finding network activity
Next by thread: mutt won't send mail now
Index(es):
- Date
- Thread