Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port 138 traffic sent to non-existant servers (XP Pro machines only)

Status
Not open for further replies.
bp1169

bp1169

IS-IT--Management
Mar 23, 2001
97
US
I have a NT4 domain with 10 subnets geographically seperated connected by frame relay. Each of these locations has several xp pro machines. While watching the firewall logs I have noticed a lot of udp port 138 traffic originating from almost all of these xp machines (they hit the firewall because these servers used to be on subnets that are no longer part of our network, and the gateway of last resort is the firewall.)

The servers they are trying to reach did exist at one time (3 or more years ago). I have checked wins to ensure there are no entries for these servers and there are no entries. The automatic DNS zones are also clear of any stale entries. The odd thing is that it only comes from xp machines. The NT and 9x machines (70% of the pcs on the network) do not have this problem. I originally thought it might be virus related but my orginazation has several layers of protection and I've physically visited some pc's to verify they are not infected. All these PC's have their security patches up to date as well.

As I said the problem occurs on almost every xp pc, including a new HP laptop I just pulled out of the box today. I'm not sure where the problem lies, maybe its in the network and only xp can "see" these stale server entries. The pc's are all on DHCP, and I have verified that no stale server entries exist in their respective scopes.

Any other thoughts as to what this could be is appreciated. Thanks!
 
Sort by date Sort by votes
Do you still see the old machines in Server Manager?

If so probably just need to remove them from the domain.

If not you might try adding them and then removing them.
 
Upvote 0 Downvote
Thanks for your help, I did check server manager and none of the servers are in there. I also searched the registry of the local wins servers and none of them had entries for these servers. The WINS servers don't list the servers either.

 
Upvote 0 Downvote
I also have a WinNt4.0 domain with multiple subnets. I also get hits on my firewall from port 138, but from Windows2000 Pro machines in only one specific subnet. I know port 138 is used for NetBIOS Datagram services so I don't think it is virus activity. The destination IP is an old WINS server that has a new IP address now. For some reason the PC's in that subnet are looking for that old IP address and I don't know why. I'm looking into it also so if any of this helps, or if you figure it out, please let me know. Thanks!
 
Upvote 0 Downvote
It's your Computer Browser service. It will not affect your network in any way unless you have Master Browser issues (like 2 of them for the same subnet). If it's REALLY annoying you, simply disable the Computer Browser Service on your machines, but in doing so, make sure your WINS is fully operational.





"In space, nobody can hear you click..."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
618
DTGMI
DTGMI
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
757
microsGuy16
microsGuy16
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
1K
gbaughma
gbaughma
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
388
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top