# Dropped packets from 192.168.1.255



## MatthewHSE (Jan 9, 2007)

I've got a small home network of seven PC's. It's a wired (ethernet) network with gigabit switches and LAN cards. Four of the PC's are on Windows XP and the rest are Windows 2000. The whole thing is behind a NAT router/firewall with no port forwarding enabled, no DMZ, etc., and a ShieldsUp test at grc.com shows all ports as stealth.

Each computer on the LAN has a static LAN IP address.

The other day I enabled firewall logging on one of the WinXP computers (it only uses the standard Windows firewall). I enabled logging for successful connections and for dropped packets. After a couple days I checked the log to see what it was recording. I understood most of the entries, but there were others that I just don't get. Here's a small sampling:

Log fields:
date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

src-ip for the following entry is our network printer:
2007-01-05 07:36:38 DROP UDP 192.168.1.70 192.168.1.255 2068 138 229 - - - - - - - RECEIVE

src-ip for the following entries are for other computers on our LAN, but NO entries like this have a src-ip matching the computer that recorded the log:
2007-01-05 09:17:42 DROP UDP 192.168.1.53 192.168.1.255 138 138 254 - - - - - - - RECEIVE
2007-01-05 11:18:59 DROP UDP 192.168.1.57 192.168.1.255 137 137 78 - - - - - - - RECEIVE
2007-01-05 13:34:13 DROP UDP 192.168.1.54 192.168.1.255 137 137 78 - - - - - - - RECEIVE

In looking over the complete log file, the following statements apply:


Where the src-ip is another computer on the network, the src-port and dst-port are always 137 or 138, and always match. The size is most commonly 78.
Where the src-ip is our printer (192.168.1.70), the src-port is anywhere between 2068 and 2099, and the dst-port is always 138.
192.168.1.255 is always the dst-port, never the src-port.
Anything that involves 192.168.1.255 shows DROP in the action field (indicating dropped packets?)

I've done some searching around and found that 192.168.1.255 is a "broadcast address." The problem is that I never set up a broadcast address (does it have to be set up to be present?), and I don't know why this computer's firewall would log dropped packets from the broadcast address since this machine is never listed as the src-ip in any of those entries.

I'd really appreciate some clarification on this since I basically don't understand what's going on at all.

Thanks in advance,

Matthew


----------



## Scully (Oct 1, 2000)

Hi Matthew,
You are correct that the address is the broadcast address.
What is most likely happening is that your printer has a certain protocol enabled and it is trying to broadcast to find a certain provider for that protocol. In this instance it is port 137 & 138 which are generally used by NetBIOS. Here is some info on those ports:

137:
Name: netbios-ns

Purpose: NetBIOS Name Service

Description: 
UDP NetBIOS name query packets are sent to this port, usually of Windows machines but also of any other system running Samba (SMB), to ask the receiving machine to disclose and return its current set of NetBIOS names.

138:
Name: netbios-dgm

Purpose: NETBIOS Datagram Service

Description: 
UDP NetBIOS datagrams packets are exchanged over this port, usually with Windows machines but also with any other system running Samba (SMB). These UDP NetBIOS datagrams support non-connection oriented file sharing activities.

You can most likely get rid of this by disabling, if possible Netbios or Samba on the print server.

Hope that helps.
Cheers!
Scully


----------



## MatthewHSE (Jan 9, 2007)

Wow, that was fast!  Thanks for the quick reply!

Based on what you said, I checked and found the printer does not have any options dealing with netbios or samba. It's a Konica-Minolta 5430 DL and online support is bad; I may call the company in a bit and see if they can offer any insights.

So anyway, just to make sure I understand properly, are you saying the printer is likely responsible for all firewall log entries like the ones I posted before, even where the printer IP is not included in the logfile entry? Here are a couple lines like that again:

date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2007-01-05 09:17:42 DROP UDP 192.168.1.53 192.168.1.255 138 138 254 - - - - - - - RECEIVE
2007-01-05 11:18:59 DROP UDP 192.168.1.57 192.168.1.255 137 137 78 - - - - - - - RECEIVE
2007-01-05 13:34:13 DROP UDP 192.168.1.54 192.168.1.255 137 137 78 - - - - - - - RECEIVE

None of those src-ip addresses are the printer; they're just other PC's on the network. I should also note in case I missed it before that none of those IP's belong to the computer that recorded the log.

My main concern here is to rule out (if possible) the possibility that these entries are the result of some sort of malicious or unwanted activity on our network. If it's harmless, expected behavior, I can live with it.

Thanks again for your help!

Matthew


----------



## Scully (Oct 1, 2000)

Your welcome,

You could also see these from clients running windows OS. Do you have a domain or workgroup? You could check the PC's NIC properties and see if Netbios is enabled or Netbios over TCP/IP is enabled.

You could also run a packet capture using Ethereal for instance to see what the broadcast packets contain. My guess is that it is the machines using Netbios though.

Cheers,
Scully


----------



## MatthewHSE (Jan 9, 2007)

These computers are all part of the same workgroup (we don't have a domain) and NetBIOS is enabled on all the computers. I tried disabling it but that appears to disable the ability to access files on other computers on the network, which is a feature we can't do without.

So I guess this is just normal, expected network behavior for a setup like ours. Thanks again for helping figure it out!

Matthew


----------



## ITpro4470 (Jan 6, 2007)

the broad cast address is always the very last ip address in a subnet it's set up that way automatically. In your case the network is 192.168.1.0 the valid hosts are 192.168.1.1-254 and the broadcast address is 192.168.1.255 this is true if you are using the 255.255.255.0 subnet mask which is standard for most home networking equpment.
The broadcast goes out to each computer in the same broadcast domain which is any devices hooked up to switches or hubs as routers will block (most)broadcasts.


----------



## TerryNet (Mar 23, 2005)

As long as you're talking about broadcasts, wouldn't Dhcp requests be broadcast? And wouldn't the computers be dropping those as the router (in this network) would be the only one able to respond?


----------



## ITpro4470 (Jan 6, 2007)

You are correct the hosts will send a broadcast to ask the server for an IP and the other hosts int the same broadcast domain that are not the DHCP server will drop those packets. The reason we don't see that in this case is because this network has all static IP addresses therefore no DHCP requests are being sent.


MatthewHSE said:


> Each computer on the LAN has a static LAN IP address.


----------



## Scully (Oct 1, 2000)

Any time Matthew

And thanks for the additional info ITpro


----------

