Revision history [back]
NBNS Protocol overloading a vlan
Hello, First time posting here, I apologize if I screw it up.
We are seeing random 'NetBIOS Name Service' (WINs) broadcasts (1-3 times a day at random times) going across a vlan. This traffic overloads the vlan and our phone system goes down as a result due to heartbeat timers expiring between devices.
Here is an example:
15641 2020-03-09 08:01:12.435091 169.254.175.195 169.254.255.255 NBNS 110 Registration NB OH101289<20>
Frame 15641: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}, id 0
Interface id: 0 (\Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D})
Encapsulation type: Ethernet (1)
Arrival Time: Mar 9, 2020 08:01:12.435091000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1583755272.435091000 seconds
[Time delta from previous captured frame: 0.000080000 seconds]
[Time delta from previous displayed frame: 0.000080000 seconds]
[Time since reference or first frame: 2226.259421000 seconds]
Frame Number: 15641
Frame Length: 110 bytes (880 bits)
Capture Length: 110 bytes (880 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || netbios]
Ethernet II, Src: Watlow_00:2a:0f (00:03:aa:00:2a:0f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: Watlow_00:2a:0f (00:03:aa:00:2a:0f)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 169.254.175.195, Dst: 169.254.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 96
Identification: 0xc40d (50189)
Flags: 0x0000
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 48
Protocol: UDP (17)
Header checksum: 0xc2bf [validation disabled]
[Header checksum status: Unverified]
Source: 169.254.175.195
Destination: 169.254.255.255
User Datagram Protocol, Src Port: 137, Dst Port: 137
Source Port: 137
Destination Port: 137
Length: 76
Checksum: 0x8e6e [unverified]
[Checksum Status: Unverified]
[Stream index: 335]
[Timestamps]
NetBIOS Name Service
Transaction ID: 0xd4c8
Flags: 0x2910, Opcode: Registration, Recursion desired, Broadcast
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
OH101289<20>: type NB, class IN
Additional records
It looks like the source device is in Ethernet II field and is named "Watlow_MAC Address" and the target being Queried is a workstation on our network named "OH101289".
Does this sound correct in my source/destination assumption? I am unsure as to why the source device would be targeting the destination workstation as I assumed this was a UDP broadcast?
Any help would be appreciated.
Thanks
NBNS Protocol overloading a vlan
Hello, First time posting here, I apologize if I screw it up.
We are seeing random 'NetBIOS Name Service' (WINs) broadcasts (1-3 times a day at random times) going across a vlan. This traffic overloads the vlan and our phone system goes down as a result due to heartbeat timers expiring between devices.
Here is an example:
15641 2020-03-09 08:01:12.435091 169.254.175.195 169.254.255.255 NBNS 110 Registration NB OH101289<20>
Frame 15641: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}, id 0
Interface id: 0 (\Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D})
Encapsulation type: Ethernet (1)
Arrival Time: Mar 9, 2020 08:01:12.435091000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1583755272.435091000 seconds
[Time delta from previous captured frame: 0.000080000 seconds]
[Time delta from previous displayed frame: 0.000080000 seconds]
[Time since reference or first frame: 2226.259421000 seconds]
Frame Number: 15641
Frame Length: 110 bytes (880 bits)
Capture Length: 110 bytes (880 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || netbios]
Ethernet II, Src: Watlow_00:2a:0f (00:03:aa:00:2a:0f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: Watlow_00:2a:0f (00:03:aa:00:2a:0f)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 169.254.175.195, Dst: 169.254.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 96
Identification: 0xc40d (50189)
Flags: 0x0000
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 48
Protocol: UDP (17)
Header checksum: 0xc2bf [validation disabled]
[Header checksum status: Unverified]
Source: 169.254.175.195
Destination: 169.254.255.255
User Datagram Protocol, Src Port: 137, Dst Port: 137
Source Port: 137
Destination Port: 137
Length: 76
Checksum: 0x8e6e [unverified]
[Checksum Status: Unverified]
[Stream index: 335]
[Timestamps]
NetBIOS Name Service
Transaction ID: 0xd4c8
Flags: 0x2910, Opcode: Registration, Recursion desired, Broadcast
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
OH101289<20>: type NB, class IN
Additional records
It looks like the source device is in Ethernet II field and is named "Watlow_MAC Address" and the target being Queried is a workstation on our network named "OH101289".
Does this sound correct in my source/destination assumption? I am unsure as to why the source device would be targeting the destination workstation as I assumed this was a UDP broadcast?
Any help would be appreciated.
Thanks
NBNS Protocol overloading a vlan
Hello, First time posting here, I apologize if I screw it up.
We are seeing random 'NetBIOS Name Service' (WINs) broadcasts (1-3 times a day at random times) going across a vlan. This traffic overloads the vlan and our phone system goes down as a result due to heartbeat timers expiring between devices.
Here is an example:
15641 2020-03-09 08:01:12.435091 169.254.175.195 169.254.255.255 NBNS 110 Registration NB OH101289<20>
Frame 15641: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}, id 0
Interface id: 0 (\Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D})
Encapsulation type: Ethernet (1)
Arrival Time: Mar 9, 2020 08:01:12.435091000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1583755272.435091000 seconds
[Time delta from previous captured frame: 0.000080000 seconds]
[Time delta from previous displayed frame: 0.000080000 seconds]
[Time since reference or first frame: 2226.259421000 seconds]
Frame Number: 15641
Frame Length: 110 bytes (880 bits)
Capture Length: 110 bytes (880 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || netbios]
Ethernet II, Src: Watlow_00:2a:0f (00:03:aa:00:2a:0f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: Watlow_00:2a:0f (00:03:aa:00:2a:0f)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 169.254.175.195, Dst: 169.254.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 96
Identification: 0xc40d (50189)
Flags: 0x0000
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 48
Protocol: UDP (17)
Header checksum: 0xc2bf [validation disabled]
[Header checksum status: Unverified]
Source: 169.254.175.195
Destination: 169.254.255.255
NetBIOS Name Service
Transaction ID: 0xd4c8
Flags: 0x2910, Opcode: Registration, Recursion desired, Broadcast
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
OH101289<20>: type NB, class IN
Additional records
It looks like the source device is in Ethernet II field and is named "Watlow_MAC Address" and the target being Queried is a workstation on our network named "OH101289".
Does this sound correct in my source/destination assumption? I am unsure as to why the source device would be targeting the destination workstation as I assumed this was a UDP broadcast?
Any help would be appreciated.
Thanks
NBNS Protocol overloading a vlan
Hello, First time posting here, I apologize if I screw it up.
We are seeing random 'NetBIOS Name Service' (WINs) broadcasts (1-3 times a day at random times) going across a vlan. This traffic overloads the vlan and our phone system goes down as a result due to heartbeat timers expiring between devices.
Here is an example:
example:
15641 2020-03-09 08:01:12.435091 169.254.175.195 169.254.255.255 NBNS 110 Registration NB OH101289<20>
OH101289<20> Frame 15641: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}, id 0
Interface id: 0 (\Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D})
Encapsulation type: Ethernet (1)
Arrival Time: Mar 9, 2020 08:01:12.435091000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1583755272.435091000 seconds
[Time delta from previous captured frame: 0.000080000 seconds]
[Time delta from previous displayed frame: 0.000080000 seconds]
[Time since reference or first frame: 2226.259421000 seconds]
Frame Number: 15641
Frame Length: 110 bytes (880 bits)
Capture Length: 110 bytes (880 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || netbios]
netbios] Ethernet II, Src: Watlow_00:2a:0f (00:03:aa:00:2a:0f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: Watlow_00:2a:0f (00:03:aa:00:2a:0f)
Type: IPv4 (0x0800)
(0x0800) NetBIOS Name Service
Transaction ID: 0xd4c8
Flags: 0x2910, Opcode: Registration, Recursion desired, Broadcast
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
OH101289<20>: type NB, class IN
Additional records
records It looks like the source device is in Ethernet II field and is named "Watlow_MAC Address" and the target being Queried is a workstation on our network named "OH101289".
Does this sound correct in my source/destination assumption? I am unsure as to why the source device would be targeting the destination workstation as I assumed this was a UDP broadcast?
Any help would be appreciated.
Thanks