Re: [IM-Talk] ?? Imapper generate netbios-ns polling traffic ??

Wed, 01 Nov 2006 05:30:19 -0800 

Bill,

As an administrator of a TCP based network using DNS, I would like that the
new feature NetBIOS–ns would be a preference (SAMBA). Intermapper must have
the intelligence to recognize a non samba device and stop the NetBIOS-ns
attacks :-)
I wondering what in this  biosname resolving concept the role of de
(master) winsserver is?

I hope I  have deliverd enough information to review this issue

When needed, I could make sniffer packet analysis of Imapper behavior?

With regards Hans Heger network manager RIVM the Netherlands.


Here are the results of my testings:

Amount of devices Cisco’s / servers = 666
Time 12:22 -> 13:50 using tcpdump grep NetBIOS to > file 220KB asci file
1876 lines divided by 2  = 938 request in  88 minutes
711 request replied   ->   icmp 36: xxxxx.rivm.nl udp port netbios-ns
unreachable (ALL CISCO'S)

Hardware:
=========
G5   Power Mac G5        PowerMac7,2
  Processortype:         PowerPC 970  (2.2)
  Processorsnelheid:     1.8 GHz

Software:
=======
Version 4.4.4 (Traditional PPC/MacOSX, Build 67173)
Built on Jul 17 2006.
MacOSX 10.4.8  TCPDUMP
Linecount BBedit


                                                                           
             William.W.Fisher@                                             
             DARTWARE.COM                                                  
             (William W.                                                To 
             Fisher)                   [email protected]  
             Sent by:                                                   cc 
             <InterMapper-Talk                                             
             @list.dartware.co                                     Subject 
             m>                        Re: [IM-Talk] ?? Imapper generate   
                                       netbios polling traffic ??          
                                                                           
             25-10-2006 02:48                                              
                                                                           
                                                                           
             Please respond to                                             
               "InterMapper                                                
                Discussion"                                                
             <InterMapper-Talk                                             
             @list.dartware.co                                             
                    m>                                                     
                                                                           
                                                                           




Hans:

InterMapper does a WINS lookup for the machine name when it can't be
determined
from DNS. However, your tcpdump clearly shows that the router interface has
a
DNS name. Do you have the addresses of your DNS servers configured in the
DNS
Monitor preference setting?

The WINS lookup appears to be a unicast request. InterMapper uses a
directed,
unicast request when it is attempting to lookup a specific name. What is
the
frequency of these requests?  It could be that InterMapper is not properly
"backing off" when the ICMP unreachable packet is received. I will need to
check
the code.

Thanks,

Bill Fisher
Dartware, LLC
____________________________________________________________________
List archives:
http://www.mail-archive.com/intermapper-talk%40list.dartware.com/
To unsubscribe: send email to: [EMAIL PROTECTED]

Reply via email to