Took me a few read-throughs (no, you wrote it just fine, I am just tired and I had to get everything right in my head (ha!)), but I think I understand what is going on...
No, I don't think you have any kind of trojan program running (or at least this is not evidence), and in fact, I think it is pretty normal. I think you have a very quiet system, which might be why you noticed it -- you really have to look on a busy system to see this effect. Let me make sure I understand your statement... [192.168.XX.XX/137]->[24.147.YYY.YYY/10629]->[24.128.ZZZ.ZZZ/53]. workstation A External B DNS C Port numbers A and C are staying the same. Port B is the one sequencing. Although, I would guess number A also changes from time to time, too, if you watch long enough or change enough things. What the GB message is saying is Workstation is talking out port 137 to the GB. The GB takes that request, processes it through NAT and it comes OUT of the GB's external interface as 10629 (in this case). The message is directed TO the DNS server port 53. The port this request comes out of on the workstation or the GB system is picked pretty much at random (something available, unused by anything else at the moment. It sounds like your workstation has settled on a particular port to talk out of -- the fact that this is the NetBIOS port is coincidence (more or less). This port number changes as it goes through NAT (generally would have to -- that's how the NAT function keeps track of multiple requests from several workstations all requesting data out the same port number.). What the Network Address Translation does is associate YOUR workstation and the port it requested from to any port it had available at the moment -- which in this case was 10629. Now, when a reply comes back (to the same port it was sent from -- 10629), NAT takes that port, looks it back up in the table it has been creating, and sends it back to your workstation, to the port it requested from. It appears the reason the 'B' port number is cycling is just that is what GB does. It can pick any port, apparently, it goes in sequence. I just wandered down the basement to look at my GB, and by golly, it was sequencing the port numbers, too, although there was a LOT more traffic than one message every 15 minutes, and a few workstations and apps were chattering away. 8) As for what is on your system that is chatting with the DNS every few minutes, no sure answer, unfortunately... my guess is probably some "web enabled" application you recently loaded... In other words, nothing to worry about (by itself), GB is acting normally. And I'm sitting here realizing that I probably got some detail wrong someplace, so go ahead everyone, jump on me. 8) Nick. Bruce Saunders wrote: > ------------------------------------------------------------- > OK, I tired the GB lite forum and had no responses, so I'll try this.I have > two work stations set up on the protected GB Lite 3.0.3 interface. One is left > on, but goes into a standby type mode after some period of time. The other is > only on when it is in use, otherwise it is shut off. I have had this set-up > running for about two months with no problems. > Recently, I noticed that the WS which is left on seems to be responsible for > the following alarm, veery 15 minutes: > 16 5 Jul 10 21:16:35 NAT: Open UDP > [192.168.XX.XX/137]->[24.147.YYY.YYY/10629]->[24.128.ZZZ.ZZZ/53]. > 16 5 Jul 10 21:16:56 NAT: Close UDP > [192.168.XX.XX/137]->[24.147.YYY.YYY/10629]->[24.128.ZZZ.ZZZ/53] Pkts 1 1, > Bytes 62 128. > > The 24.147.YYY.YYY happens to be the IP address assigned to my external NIC by > the ISP through DCHP (cable modem). The 24.128.ZZZ.ZZZ is one of the DNS > servers at the ISP. I know 137 is a NetBios port and 53 is DNS. The port > number after the 24.147.YYY.YYY is incrementing by one every 15 minutes. > > Does any one know, do I have a Trojan inside this WS? The two workstations are > set-up in a Windows '98 workgroup so files can be shared between them - does > this have something to do with the messages? > > I don't think I have a serious problem, but don't remember seeing this the > first couple of weeks I had GB up and running. Also, I've never used anything > but the default filter set-up right 'out of the box'. > > Any information would be appreciated. Thanks. > > Bruce S. > -- http://www.holland-consulting.com/
