Revision history [back]

Hello, First time posting here, I apologize if I screw it up.

We are seeing random 'NetBIOS Name Service' (WINs) broadcasts (1-3 times a day at random times) going across a vlan. This traffic overloads the vlan and our phone system goes down as a result due to heartbeat timers expiring between devices.

Here is an example: 15641 2020-03-09 08:01:12.435091 169.254.175.195 169.254.255.255 NBNS 110 Registration NB OH101289<20>

Frame 15641: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}, id 0 Interface id: 0 (\Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}) Encapsulation type: Ethernet (1) Arrival Time: Mar 9, 2020 08:01:12.435091000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1583755272.435091000 seconds [Time delta from previous captured frame: 0.000080000 seconds] [Time delta from previous displayed frame: 0.000080000 seconds] [Time since reference or first frame: 2226.259421000 seconds] Frame Number: 15641 Frame Length: 110 bytes (880 bits) Capture Length: 110 bytes (880 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:udp:nbns] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || netbios]

Ethernet II, Src: Watlow_00:2a:0f (00:03:aa:00:2a:0f), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Source: Watlow_00:2a:0f (00:03:aa:00:2a:0f) Type: IPv4 (0x0800)

NetBIOS Name Service Transaction ID: 0xd4c8 Flags: 0x2910, Opcode: Registration, Recursion desired, Broadcast Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries OH101289<20>: type NB, class IN Additional records

It looks like the source device is in Ethernet II field and is named "Watlow_MAC Address" and the target being Queried is a workstation on our network named "OH101289".

Does this sound correct in my source/destination assumption? I am unsure as to why the source device would be targeting the destination workstation as I assumed this was a UDP broadcast?

Any help would be appreciated.

Thanks

Hello, First time posting here, I apologize if I screw it up.

We are seeing random 'NetBIOS Name Service' (WINs) broadcasts (1-3 times a day at random times) going across a vlan. This traffic overloads the vlan and our phone system goes down as a result due to heartbeat timers expiring between devices.

Here is an example: example:

15641   2020-03-09 08:01:12.435091  169.254.175.195 169.254.255.255 NBNS    110 Registration NB OH101289<20>
 
OH101289<20>

Frame 15641: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}, id 0
    Interface id: 0 (\Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D})
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar  9, 2020 08:01:12.435091000 Eastern Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1583755272.435091000 seconds
    [Time delta from previous captured frame: 0.000080000 seconds]
    [Time delta from previous displayed frame: 0.000080000 seconds]
    [Time since reference or first frame: 2226.259421000 seconds]
    Frame Number: 15641
    Frame Length: 110 bytes (880 bits)
    Capture Length: 110 bytes (880 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:nbns]
    [Coloring Rule Name: SMB]
    [Coloring Rule String: smb || nbss || nbns || netbios]
 
netbios]

Ethernet II, Src: Watlow_00:2a:0f (00:03:aa:00:2a:0f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: Watlow_00:2a:0f (00:03:aa:00:2a:0f)
    Type: IPv4 (0x0800)
 
(0x0800)

NetBIOS Name Service
    Transaction ID: 0xd4c8
    Flags: 0x2910, Opcode: Registration, Recursion desired, Broadcast
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        OH101289<20>: type NB, class IN
    Additional recordsrecords

It looks like the source device is in Ethernet II field and is named "Watlow_MAC Address" and the target being Queried is a workstation on our network named "OH101289".

Does this sound correct in my source/destination assumption? I am unsure as to why the source device would be targeting the destination workstation as I assumed this was a UDP broadcast?

Any help would be appreciated.

Thanks

Hello, First time posting here, I apologize if I screw it up.

We are seeing random 'NetBIOS Name Service' (WINs) broadcasts (1-3 times a day at random times) going across a vlan. This traffic overloads the vlan and our phone system goes down as a result due to heartbeat timers expiring between devices.

Here is an example:

15641   2020-03-09 08:01:12.435091  169.254.175.195 169.254.255.255 NBNS    110 Registration NB OH101289<20>

Frame 15641: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}, id 0
    Interface id: 0 (\Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D})
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar  9, 2020 08:01:12.435091000 Eastern Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1583755272.435091000 seconds
    [Time delta from previous captured frame: 0.000080000 seconds]
    [Time delta from previous displayed frame: 0.000080000 seconds]
    [Time since reference or first frame: 2226.259421000 seconds]
    Frame Number: 15641
    Frame Length: 110 bytes (880 bits)
    Capture Length: 110 bytes (880 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:nbns]
    [Coloring Rule Name: SMB]
    [Coloring Rule String: smb || nbss || nbns || netbios]

Ethernet II, Src: Watlow_00:2a:0f (00:03:aa:00:2a:0f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: Watlow_00:2a:0f (00:03:aa:00:2a:0f)
    Type: IPv4 (0x0800)

Internet Protocol Version 4, Src: 169.254.175.195, Dst: 169.254.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 96
    Identification: 0xc40d (50189)
    Flags: 0x0000
    ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 48
    Protocol: UDP (17)
    Header checksum: 0xc2bf [validation disabled]
    [Header checksum status: Unverified]
    Source: 169.254.175.195
    Destination: 169.254.255.255

NetBIOS Name Service
    Transaction ID: 0xd4c8
    Flags: 0x2910, Opcode: Registration, Recursion desired, Broadcast
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        OH101289<20>: type NB, class IN
    Additional records

It looks like the source device is in Ethernet II field and is named "Watlow_MAC Address" and the target being Queried is a workstation on our network named "OH101289".

Does this sound correct in my source/destination assumption? I am unsure as to why the source device would be targeting the destination workstation as I assumed this was a UDP broadcast?

Any help would be appreciated.

Thanks

Hello, First time posting here, I apologize if I screw it up.

We are seeing random 'NetBIOS Name Service' (WINs) broadcasts (1-3 times a day at random times) going across a vlan. This traffic overloads the vlan and our phone system goes down as a result due to heartbeat timers expiring between devices.

Here is an example:

15641   2020-03-09 08:01:12.435091  169.254.175.195 169.254.255.255 NBNS    110 Registration NB OH101289<20>

Frame 15641: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D}, id 0
    Interface id: 0 (\Device\NPF_{4CB19F40-9878-4814-8D24-F2CF192BBA0D})
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar  9, 2020 08:01:12.435091000 Eastern Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1583755272.435091000 seconds
    [Time delta from previous captured frame: 0.000080000 seconds]
    [Time delta from previous displayed frame: 0.000080000 seconds]
    [Time since reference or first frame: 2226.259421000 seconds]
    Frame Number: 15641
    Frame Length: 110 bytes (880 bits)
    Capture Length: 110 bytes (880 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:nbns]
    [Coloring Rule Name: SMB]
    [Coloring Rule String: smb || nbss || nbns || netbios]

Ethernet II, Src: Watlow_00:2a:0f (00:03:aa:00:2a:0f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: Watlow_00:2a:0f (00:03:aa:00:2a:0f)
    Type: IPv4 (0x0800)

Internet Protocol Version 4, Src: 169.254.175.195, Dst: 169.254.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 96
    Identification: 0xc40d (50189)
    Flags: 0x0000
    ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 48
    Protocol: UDP (17)
    Header checksum: 0xc2bf [validation disabled]
    [Header checksum status: Unverified]
    Source: 169.254.175.195
    Destination: 169.254.255.255

User Datagram Protocol, Src Port: 137, Dst Port: 137
    Source Port: 137
    Destination Port: 137
    Length: 76
    Checksum: 0x8e6e [unverified]
    [Checksum Status: Unverified]
    [Stream index: 335]
    [Timestamps]

NetBIOS Name Service
    Transaction ID: 0xd4c8
    Flags: 0x2910, Opcode: Registration, Recursion desired, Broadcast
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        OH101289<20>: type NB, class IN
    Additional records

It looks like the source device is in Ethernet II field and is named "Watlow_MAC Address" and the target being Queried is a workstation on our network named "OH101289".

Does this sound correct in my source/destination assumption? I am unsure as to why the source device would be targeting the destination workstation as I assumed this was a UDP broadcast?

Any help would be appreciated.

Thanks