Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2020-03-09 18:31:33 +0000

Eddi gravatar image

Hello NoNotTheSquirrelsAgain - And welcome to ask.wireshark.org

My answer is based on the assumption, that the packet was delivered through UDP port 137. This is a somewhat educated guess, since your question did not include the IP or UDP headers.

The message is a NetBIOS registration. To me, this packet indicates a number of problems:

Missing IP configuration or missing DHCP server

IP addresses are either configured by the administrator or dynamically assigned through a DHCP server. If the host does not receive an address through DHCP it will revert to an APIPA address (= Automatic Private IP Address). This address is randomly chosen from the address block 169.254.x.x. This network block is usually not routed.

Use of SMB v1

The message shown in your post only makes sense in the world of SMB v1. This protocol is now deprecated. Microsoft recommends for a number of years to deactivate the old version. One of many web pages listing that recommendation is on TechNet

Please stop using SMB v1.

What the message is about

SMB v1 is based on NetBIOS and uses very old mechanisms to translate a hostname like OH101289 to a network address. Back in the days this could even be a MAC address, since NetBIOS could (and did) run without IP support. Today only the oldest of printers still support NetBIOS over Ethernet or IPX.

In the world of NetBIOS each host has to register it's name on the network. This is done through host announcements, like the one quoted in your question. Typically a host would call out it's name 3 times, often with a 1 second interval. If no other host objects the sender can safely assume that this name is unique and available and continue normal operations. Other hosts can use the NetBIOS Name Resolution, running on UDP port 137 to translate this hostname into an IP address.

Please note, that the broadcast messages will continue, even if you assign an IP address to your Watlow devices. The broadcasts are part of SMB v1.

Fixing the broadcasts

I highly recommend turning off SMB v1. Use SMB v2 or v3 if possible. Or switch to a completely different protocol to exchange files.

Depending on the number of nodes and the size of your network you might want to consider isolating all Watlow devices into a separate VLAN.

Or - considering that the lack of a DHCP assigned address - unplug them. Please remember, that your regular hosts cannot communicate with the 169.254.x.x addresses anyway.

Good luck!

Eddi

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2