1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Dropped packets from 192.168.1.255

Discussion in 'Networking' started by MatthewHSE, Jan 9, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. MatthewHSE

    MatthewHSE Thread Starter

    Joined:
    Jan 9, 2007
    Messages:
    30
    I've got a small home network of seven PC's. It's a wired (ethernet) network with gigabit switches and LAN cards. Four of the PC's are on Windows XP and the rest are Windows 2000. The whole thing is behind a NAT router/firewall with no port forwarding enabled, no DMZ, etc., and a ShieldsUp test at grc.com shows all ports as stealth.

    Each computer on the LAN has a static LAN IP address.

    The other day I enabled firewall logging on one of the WinXP computers (it only uses the standard Windows firewall). I enabled logging for successful connections and for dropped packets. After a couple days I checked the log to see what it was recording. I understood most of the entries, but there were others that I just don't get. Here's a small sampling:

    Log fields:
    date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

    src-ip for the following entry is our network printer:
    2007-01-05 07:36:38 DROP UDP 192.168.1.70 192.168.1.255 2068 138 229 - - - - - - - RECEIVE

    src-ip for the following entries are for other computers on our LAN, but NO entries like this have a src-ip matching the computer that recorded the log:
    2007-01-05 09:17:42 DROP UDP 192.168.1.53 192.168.1.255 138 138 254 - - - - - - - RECEIVE
    2007-01-05 11:18:59 DROP UDP 192.168.1.57 192.168.1.255 137 137 78 - - - - - - - RECEIVE
    2007-01-05 13:34:13 DROP UDP 192.168.1.54 192.168.1.255 137 137 78 - - - - - - - RECEIVE

    In looking over the complete log file, the following statements apply:

    • Where the src-ip is another computer on the network, the src-port and dst-port are always 137 or 138, and always match. The size is most commonly 78.
    • Where the src-ip is our printer (192.168.1.70), the src-port is anywhere between 2068 and 2099, and the dst-port is always 138.
    • 192.168.1.255 is always the dst-port, never the src-port.
    • Anything that involves 192.168.1.255 shows DROP in the action field (indicating dropped packets?)

    I've done some searching around and found that 192.168.1.255 is a "broadcast address." The problem is that I never set up a broadcast address (does it have to be set up to be present?), and I don't know why this computer's firewall would log dropped packets from the broadcast address since this machine is never listed as the src-ip in any of those entries.

    I'd really appreciate some clarification on this since I basically don't understand what's going on at all.

    Thanks in advance,

    Matthew
     
  2. Scully

    Scully

    Joined:
    Oct 1, 2000
    Messages:
    223
    Hi Matthew,
    You are correct that the address is the broadcast address.
    What is most likely happening is that your printer has a certain protocol enabled and it is trying to broadcast to find a certain provider for that protocol. In this instance it is port 137 & 138 which are generally used by NetBIOS. Here is some info on those ports:

    137:
    Name: netbios-ns

    Purpose: NetBIOS Name Service

    Description:
    UDP NetBIOS name query packets are sent to this port, usually of Windows machines but also of any other system running Samba (SMB), to ask the receiving machine to disclose and return its current set of NetBIOS names.

    138:
    Name: netbios-dgm

    Purpose: NETBIOS Datagram Service

    Description:
    UDP NetBIOS datagrams packets are exchanged over this port, usually with Windows machines but also with any other system running Samba (SMB). These UDP NetBIOS datagrams support non-connection oriented file sharing activities.

    You can most likely get rid of this by disabling, if possible Netbios or Samba on the print server.

    Hope that helps.
    Cheers!
    Scully
     
  3. MatthewHSE

    MatthewHSE Thread Starter

    Joined:
    Jan 9, 2007
    Messages:
    30
    Wow, that was fast! :) Thanks for the quick reply!

    Based on what you said, I checked and found the printer does not have any options dealing with netbios or samba. It's a Konica-Minolta 5430 DL and online support is bad; I may call the company in a bit and see if they can offer any insights.

    So anyway, just to make sure I understand properly, are you saying the printer is likely responsible for all firewall log entries like the ones I posted before, even where the printer IP is not included in the logfile entry? Here are a couple lines like that again:

    date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
    2007-01-05 09:17:42 DROP UDP 192.168.1.53 192.168.1.255 138 138 254 - - - - - - - RECEIVE
    2007-01-05 11:18:59 DROP UDP 192.168.1.57 192.168.1.255 137 137 78 - - - - - - - RECEIVE
    2007-01-05 13:34:13 DROP UDP 192.168.1.54 192.168.1.255 137 137 78 - - - - - - - RECEIVE

    None of those src-ip addresses are the printer; they're just other PC's on the network. I should also note in case I missed it before that none of those IP's belong to the computer that recorded the log.

    My main concern here is to rule out (if possible) the possibility that these entries are the result of some sort of malicious or unwanted activity on our network. If it's harmless, expected behavior, I can live with it.

    Thanks again for your help!

    Matthew
     
  4. Scully

    Scully

    Joined:
    Oct 1, 2000
    Messages:
    223
    Your welcome,

    You could also see these from clients running windows OS. Do you have a domain or workgroup? You could check the PC's NIC properties and see if Netbios is enabled or Netbios over TCP/IP is enabled.

    You could also run a packet capture using Ethereal for instance to see what the broadcast packets contain. My guess is that it is the machines using Netbios though.

    Cheers,
    Scully
     
  5. MatthewHSE

    MatthewHSE Thread Starter

    Joined:
    Jan 9, 2007
    Messages:
    30
    These computers are all part of the same workgroup (we don't have a domain) and NetBIOS is enabled on all the computers. I tried disabling it but that appears to disable the ability to access files on other computers on the network, which is a feature we can't do without.

    So I guess this is just normal, expected network behavior for a setup like ours. Thanks again for helping figure it out!

    Matthew
     
  6. ITpro4470

    ITpro4470

    Joined:
    Jan 5, 2007
    Messages:
    58
    the broad cast address is always the very last ip address in a subnet it's set up that way automatically. In your case the network is 192.168.1.0 the valid hosts are 192.168.1.1-254 and the broadcast address is 192.168.1.255 this is true if you are using the 255.255.255.0 subnet mask which is standard for most home networking equpment.
    The broadcast goes out to each computer in the same broadcast domain which is any devices hooked up to switches or hubs as routers will block (most)broadcasts.
     
  7. TerryNet

    TerryNet Terry Moderator

    Joined:
    Mar 23, 2005
    Messages:
    69,582
    As long as you're talking about broadcasts, wouldn't Dhcp requests be broadcast? And wouldn't the computers be dropping those as the router (in this network) would be the only one able to respond?
     
  8. ITpro4470

    ITpro4470

    Joined:
    Jan 5, 2007
    Messages:
    58
    You are correct the hosts will send a broadcast to ask the server for an IP and the other hosts int the same broadcast domain that are not the DHCP server will drop those packets. The reason we don't see that in this case is because this network has all static IP addresses therefore no DHCP requests are being sent.
     
  9. Scully

    Scully

    Joined:
    Oct 1, 2000
    Messages:
    223
    Any time Matthew

    And thanks for the additional info ITpro
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/533664