If you could give the *actual* destination address, I could be certain, but it's probably the following.
On Microsoft boxes which are configured to use DHCP for their network settings, *if* they broadcast for DHCP and fail to get the settings, they will "self-assign" an address. I believe the addresses used start with 169, and I believe if you use Sam Spade or some other tool to do an IP Block lookup you'll see a little more information about it. So why is it showing up as a destination? Once a Windows box comes up with such a bogus address, this still does not mean it is "dead" on the network. It dutifully goes about doing what Windows boxes do, which is a lot of NetBIOS broadcasting. The packets you see are probably boxes on your local network trying to respond to those broadcasts which were originally sourced from the 169 guy. Since you obviously don't use that actual network, your default routing in your network is likely carrying those responses out toward your Internet perimeter, and getting dropped at your firewall. And no, assuming I am right, I am not particularly wise about this - I've had the same experience and a lot of time to track it down :-) ----- Original Message ----- From: "Darren Gragg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 29, 2003 11:33 AM Subject: source LAN port 137 dest 169.x I am seeing some UDP packets showing up in my logs as being dropped that have a source of 172 my local subnet with a port of 137 and a destination of a 169.xxx.xxx.xxx address with a port of 137. what would that destination be telling me? Any ideas? Thanks very much in advance Darren Gragg Network Administrator --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
