RE: netbios [7:71084]
Hello, NetBIOS is a non-routeable protocol. If you want to transport it over WAN links you will need to configure bridging. Check out: http://www.cisco.com/en/US/partner/tech/tk331/tk660/technologies_tech_ note09186a0080093d4d.shtml Regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71086&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
I'd agree to NetBEUI not being routable, but surely NETBIOS over IP gotta be routable! What does a WINS server do for you, or LMHOST files? Bikespace ""- jvd"" wrote in message news:[EMAIL PROTECTED] > Hello, > > NetBIOS is a non-routeable protocol. If you want to transport it over WAN > links you will need to configure bridging. Check out: > http://www.cisco.com/en/US/partner/tech/tk331/tk660/technologies_tech_ > note09186a0080093d4d.shtml > > Regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71104&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
Since your question already assumes these port ranges, it would mean your question is really whether NetBIOS over TCP/IP can be routed. And as such, it can, just like any other IP traffic. ""koh jef"" wrote in message news:[EMAIL PROTECTED] > hi guys, > > can netbios,using port 137, 138 and 139 be routed thru WAN ??? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71105&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: netbios [7:71084]
koh jef wrote: > > hi guys, > > can netbios,using port 137, 138 and 139 be routed thru WAN ??? NetBIOS uses UDP and TCP which run on top of IP, which is routable over an IP internetwork, including WAN links. Routers don't forward broadcasts though, by default. When NetBIOS runs over UDP ports 137 and 138, a lot of it is broadcasts. You can use an IP helper address and udp forwarding on a router to get the router to forward those. That might not be such a good idea, though. It could make resources available across the WAN that you don't want to make available. It could require you to open ports on firewalls, resulting in security risks. You need take a higher-level view of what you're trying to do... Windows networking across an internetwork can be challenging... Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71106&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
Directed broadcastes are less of a burden as far as passing brodcasts for specific apps. indeed netbios is not routeble, to route it u use NBT or NBIPX ""Priscilla Oppenheimer"" a icrit dans le message de news: [EMAIL PROTECTED] > koh jef wrote: > > > > hi guys, > > > > can netbios,using port 137, 138 and 139 be routed thru WAN ??? > > NetBIOS uses UDP and TCP which run on top of IP, which is routable over an > IP internetwork, including WAN links. > > Routers don't forward broadcasts though, by default. When NetBIOS runs over > UDP ports 137 and 138, a lot of it is broadcasts. You can use an IP helper > address and udp forwarding on a router to get the router to forward those. > That might not be such a good idea, though. It could make resources > available across the WAN that you don't want to make available. It could > require you to open ports on firewalls, resulting in security risks. > > You need take a higher-level view of what you're trying to do... Windows > networking across an internetwork can be challenging... > > Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71126&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
Hi, I just want to make something clear. NetBIOS and NetBEUI were created by IBM and later found its way to Microsoft networks who changed it. - These protocols are non-routable in an IBM environment. - NetBEUI is non-routable in TCP/IP networks. - NetBIOS is non-routable without the help of NetBT. NetBT is NetBIOS over TCP/IP and was conceived in RFCs 1001 and 1002 to enable NetBIOS to be routed. Short overview here: http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/cnet/cnad_arc_khqp.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71150&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
jountao wrote: > > Directed broadcastes are less of a burden as far as passing > brodcasts for > specific apps. Directed broadcasts are not allowed on modern networks and are totally irrelevant to Windows networking anyway, which doesn't use them. > indeed netbios is not routeble, to route it u use NBT or NBIPX He's using NBT obviously or he wouldn't be talking about UDP and TCP port numbers. Priscilla > > ""Priscilla Oppenheimer"" a icrit dans > le message de > news: [EMAIL PROTECTED] > > koh jef wrote: > > > > > > hi guys, > > > > > > can netbios,using port 137, 138 and 139 be routed thru WAN > ??? > > > > NetBIOS uses UDP and TCP which run on top of IP, which is > routable over an > > IP internetwork, including WAN links. > > > > Routers don't forward broadcasts though, by default. When > NetBIOS runs > over > > UDP ports 137 and 138, a lot of it is broadcasts. You can use > an IP helper > > address and udp forwarding on a router to get the router to > forward those. > > That might not be such a good idea, though. It could make > resources > > available across the WAN that you don't want to make > available. It could > > require you to open ports on firewalls, resulting in security > risks. > > > > You need take a higher-level view of what you're trying to > do... Windows > > networking across an internetwork can be challenging... > > > > Priscilla > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71156&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
NetBIOS is a session layer protocol. Of course it's routable. Yes, it's true that IBM invented NetBIOS. NetBEUI was the name of IBM's software module that implemented NetBIOS. It usually ran in conjunction with TOKREUI, by the way, which was driver software for Token Ring. NetBEUI didn't make any calls to a network layer. It assumed it was running directly above LLC and made calls to LLC's interface. It also make source-route bridging calls, by the way. It's just semantics at this point but does point out a couple higher-level concepts. One, networking is more complicated than the simple statements like "NetBIOS is not routable" that you will find in Networking 101 papers. Two, it's important to understand that every layer makes calls to a layer below and every layer offers services to a layer above. Because the service interface of a layer, whether it be LLC or UDP, is well known (hopefully), any upper layer can call on it. So, an implementation of a session layer protocol such as NetBIOS can call on UDP, TCP, LLC, or IPX. That's the real message from the infamous OSI model. It's all about service interfaces. Priscilla - jvd wrote: > > Hi, > > I just want to make something clear. NetBIOS and NetBEUI were > created by IBM and later found its way to Microsoft networks > who changed it. > > - These protocols are non-routable in an IBM environment. > - NetBEUI is non-routable in TCP/IP networks. > - NetBIOS is non-routable without the help of NetBT. > > NetBT is NetBIOS over TCP/IP and was conceived in RFCs 1001 and > 1002 to enable NetBIOS to be routed. Short overview here: > http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/cnet/cnad_arc_khqp.asp > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71161&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
At 6:15 PM + 6/23/03, Priscilla Oppenheimer wrote: > > >Two, it's important to understand that every layer makes calls to a layer >below and every layer offers services to a layer above. Because the service >interface of a layer, whether it be LLC or UDP, is well known (hopefully), >any upper layer can call on it. So, an implementation of a session layer >protocol such as NetBIOS can call on UDP, TCP, LLC, or IPX. That's the real >message from the infamous OSI model. It's all about service interfaces. OO! The real message is there are seven layers named Happy, Sneezy, Grumpy, Bashful, Sleepy, Dopey and Doc! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71171&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
hi, i just have to say that i will never try to answer anything on this forum again. :-) once i tried to answer a question with regards to bgp and a 1720 router and only after howard helped us out was it clear that the processor does play an important role. ;-) this time only after the input from priscilla is everybody happy about the netbios/netbeui issue. ;-) but then i think what is important is that we dig a bit deeper into some topics! Good work! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71179&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
- jvd 6/23/03 4:06:36 PM >>> >hi, i just have to say that i will never try to answer anything on this >forum again. :-) > >once i tried to answer a question with regards to bgp and a 1720 router and >only after howard helped us out was it clear that the processor does play an >important role. ;-) > >this time only after the input from priscilla is everybody happy about the >netbios/netbeui issue. ;-) > >but then i think what is important is that we dig a bit deeper into some >topics! > >Good work! I have two requests: First, don't go into hiding. Please continue to participate. We welcome all participants! And second, please quote the post you're referring to when you reply. When you don't include a quote it is very difficult to follow what you're talking about. Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71186&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
There are too many smart arses around sometimes. The whole idea of a discussion group isn't for everyone to "Provide the right answer or beware". I think everyone would like to have a go sometimes, but there's that nagging doubt that you're going to make a big slip up. It's better I think when people have a go. It's amazing how many people answer the easy password recovery type questions, but no one is listening when the toughies come out, even though a lot of people could have a stab at it (guilty myself). Some people would end up on their arse if they replied face to face, the way they do in some follow up posts. Good on you - I will try to do my bit by making a fool of myself at every opportunity. After about 6 pints this may well be the first of many. :-) Keep digging. Bikespace. ""- jvd"" wrote in message news:[EMAIL PROTECTED] > hi, i just have to say that i will never try to answer anything on this > forum again. :-) > > once i tried to answer a question with regards to bgp and a 1720 router and > only after howard helped us out was it clear that the processor does play an > important role. ;-) > > this time only after the input from priscilla is everybody happy about the > netbios/netbeui issue. ;-) > > but then i think what is important is that we dig a bit deeper into some > topics! > > Good work! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71188&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: netbios [7:71084]
What about Donner and Blitz..., oops, different story -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Howard C. Berkowitz Sent: Monday, June 23, 2003 12:29 PM To: [EMAIL PROTECTED] Subject: Re: netbios [7:71084] At 6:15 PM + 6/23/03, Priscilla Oppenheimer wrote: > > >Two, it's important to understand that every layer makes calls to a layer >below and every layer offers services to a layer above. Because the service >interface of a layer, whether it be LLC or UDP, is well known (hopefully), >any upper layer can call on it. So, an implementation of a session layer >protocol such as NetBIOS can call on UDP, TCP, LLC, or IPX. That's the real >message from the infamous OSI model. It's all about service interfaces. OO! The real message is there are seven layers named Happy, Sneezy, Grumpy, Bashful, Sleepy, Dopey and Doc! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71192&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: netbios [7:71084]
At 4:47 PM -0700 6/23/03, Jamie Johnson wrote: >What about Donner and Blitz..., oops, different story Nahh...you need Sneezy as a multicast server. > > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of >Howard C. Berkowitz >Sent: Monday, June 23, 2003 12:29 PM >To: [EMAIL PROTECTED] >Subject: Re: netbios [7:71084] > > >At 6:15 PM + 6/23/03, Priscilla Oppenheimer wrote: >> >> >>Two, it's important to understand that every layer makes calls to a layer >>below and every layer offers services to a layer above. Because the service >>interface of a layer, whether it be LLC or UDP, is well known (hopefully), >>any upper layer can call on it. So, an implementation of a session layer >>protocol such as NetBIOS can call on UDP, TCP, LLC, or IPX. That's the real >>message from the infamous OSI model. It's all about service interfaces. > > >OO! The real message is there are seven layers named Happy, >Sneezy, Grumpy, Bashful, Sleepy, Dopey and Doc! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71195&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
- jvd wrote: > > OT: > hi, i just have to say that i will never try to answer anything > on this forum again. :-) Well, would that be Grumpy, Bashful, Sleepy, or Dopey to do that? :-) Seriously, you should keep answering. You have sent some great answers, but you don't want to keep insisting something when replying to my messages. It makes me very Grumpy and I'm not Bashful when wielding a keyboard (just in person). I know lots of books claim that NetBIOS isn't routable, but I bet those exact same books also classify it as a session-layer protocol. And it does make a good example of a session-layer protocol. One of the few that we have! And if it runs at that layer, then it is routable. I think even IBM said it was a session-layer protocol in some of their early documents, which unfortunately, I recently tossed. Directed broadcasts came from out of the blue. I really don't think Windows networking uses them, although maybe it does. Was the comment maybe in reference to the helper address suggestion that I made? You can tell a router to send the packets when "it helps" as a broadcast. That's not a directed broadcast, though, and will work even if router forwarding of directed broadcasts is disabled, which is the default these days. Instead, it's a broadcast sent by the router (it has the router's IP address as source, on behalf of some other station, to a local LAN, because the router is acting as a proxy, for example, a DHCP Relay Agent.) Was that a run-on sentence, or what? :-) A directed broadcast is directed from afar into a subnet. The sender usually makes classful assumptions, since it can't actually know the local definition of a broadcast. It's used by ping scan to send a ping to 172.16.255.255, for example, in an attempt to ping everyone on network 172.16.0.0. Routers don't forward those these days because of the security risks. Back to NetBIOS. It does send a lot of broadcast traffic for naming purposes. In an IP environment, however, a host can be configured to send unicast naming queries and name registrations to a WINS server. There are probably lots of other issues, though. It really can be quite a pain to get it to work correctly when you migrate from a small LAN to a larger internetwork with WANs, subnetting, VLANs, etc. I wonder what the original poster is really trying to do and where he can get a good Windows networking (internetworking) design guide. Cisco used to have one, but it's probably way dated now Well, it's late and my writing is deteriorating. Howard covers directed broadcasts, by the way, (and a much better description of the OSI model, without reference to the dwarves, as I recall, although possibly with reference to the deadly sins) in his CertificationZone papers. I recommend them. Priscilla > > once i tried to answer a question with regards to bgp and a > 1720 router and only after howard helped us out was it clear > that the processor does play an important role. ;-) > > this time only after the input from priscilla is everybody > happy about the netbios/netbeui issue. ;-) > > but then i think what is important is that we dig a bit deeper > into some topics! > > Good work! > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71203&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
hi pple, well the reason why i ask this is because, recently i was told by my network manager that there is a virus which uses netbios (udp 137, tcp 138 and tcp 139) as a transport and had acrosses the WAN from a spoke site to a hub site. And i was told to put an ACL by blocking the above port on the fastethernet interface, well i was kind of confuse as in, i remember that netbios arnt routable across the WAN, IF, and i mean IF there is really such virus uses this ports, they shouldnt be able to traverse to the other site across the WAN rite?? And when i did some debug ip packet, the udp 136 and or ofcourse the tcp138 and 139, was captured and dropped! at the fastethernet interface and TR interface (i had place the ACL on both fastether and TR) but when i place it on the serial, i dun see any udp 136 at all!...i jus need some clarification from people at this forum here Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71227&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
Is NetBIOS a protocol in the sense of ISO's OSI definition?? I never really checked it. Originally it was a programming interface on IBM PCs. I did some network programming with NetBIOS back in 1989... yes, old man... When I started reading commercial Cisco certification books, the authors sometimes tried to convince me that it is a protocolWhatever, I'm not going to give a formal answer, but for those interested maybe give the following a try. It's from IBM's TCP/IP Tutorial and Technical Overview, October 1998, one of their famous redbooks (http://www.redbooks.ibm.com): "... NetBIOS is a vendor-independant software interface (API), not a protocol. There is no official NetBIOS specification, although in practice, the NetBIOS version described in the IBM publication SC30-3587 LAN Technical Reference: 802.2 and NetBIOS APIs is used as reference. .." Have fun! :-) Eric Brouwers - Original Message - From: "Priscilla Oppenheimer" To: Sent: Tuesday, June 24, 2003 3:50 AM Subject: Re: netbios [7:71084] > - jvd wrote: > > > > OT: > > hi, i just have to say that i will never try to answer anything > > on this forum again. :-) > > Well, would that be Grumpy, Bashful, Sleepy, or Dopey to do that? :-) > Seriously, you should keep answering. You have sent some great answers, but > you don't want to keep insisting something when replying to my messages. It > makes me very Grumpy and I'm not Bashful when wielding a keyboard (just in > person). I know lots of books claim that NetBIOS isn't routable, but I bet > those exact same books also classify it as a session-layer protocol. And it > does make a good example of a session-layer protocol. One of the few that we > have! And if it runs at that layer, then it is routable. I think even IBM > said it was a session-layer protocol in some of their early documents, which > unfortunately, I recently tossed. > > Directed broadcasts came from out of the blue. I really don't think Windows > networking uses them, although maybe it does. Was the comment maybe in > reference to the helper address suggestion that I made? You can tell a > router to send the packets when "it helps" as a broadcast. That's not a > directed broadcast, though, and will work even if router forwarding of > directed broadcasts is disabled, which is the default these days. Instead, > it's a broadcast sent by the router (it has the router's IP address as > source, on behalf of some other station, to a local LAN, because the router > is acting as a proxy, for example, a DHCP Relay Agent.) Was that a run-on > sentence, or what? :-) > > A directed broadcast is directed from afar into a subnet. The sender usually > makes classful assumptions, since it can't actually know the local > definition of a broadcast. It's used by ping scan to send a ping to > 172.16.255.255, for example, in an attempt to ping everyone on network > 172.16.0.0. Routers don't forward those these days because of the security > risks. > > Back to NetBIOS. It does send a lot of broadcast traffic for naming > purposes. In an IP environment, however, a host can be configured to send > unicast naming queries and name registrations to a WINS server. There are > probably lots of other issues, though. It really can be quite a pain to get > it to work correctly when you migrate from a small LAN to a larger > internetwork with WANs, subnetting, VLANs, etc. > > > I wonder what the original poster is really trying to do and where he can > get a good Windows networking (internetworking) design guide. Cisco used to > have one, but it's probably way dated now > > > Well, it's late and my writing is deteriorating. Howard covers directed > broadcasts, by the way, (and a much better description of the OSI model, > without reference to the dwarves, as I recall, although possibly with > reference to the deadly sins) in his CertificationZone papers. I recommend > them. > > Priscilla > > > > > > once i tried to answer a question with regards to bgp and a > > 1720 router and only after howard helped us out was it clear > > that the processor does play an important role. ;-) > > > > this time only after the input from priscilla is everybody > > happy about the netbios/netbeui issue. ;-) > > > > but then i think what is important is that we dig a bit deeper > > into some topics! > > > > Good work! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71231&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
Since the original question related to virus and certain ports, etc., here's a good reference to keep an eye on: http://isc.incidents.org/ You'll notice which ports have the most activity by geographical region (there are marked differences). You can also look at the hyperlinks associated with each of the most frequently attacked ports as well as the links under ISC Analysis to particular exploits that are currently being seen frequently. This may help you with your manager, as it's not necessarily enough to understand what's happening across the router; you may need to know what's happening on the hosts, as well. HTH Annlee ""j k"" wrote in message news:[EMAIL PROTECTED] > hi pple, well the reason why i ask this is because, recently i was told by > my network manager that there is a virus which uses netbios (udp 137, tcp > 138 and tcp 139) as a transport and had acrosses the WAN from a spoke site > to a hub site. And i was told to put an ACL by blocking the above port on > the fastethernet interface, well i was kind of confuse as in, i remember > that netbios arnt routable across the WAN, IF, and i mean IF there is really > such virus uses this ports, they shouldnt be able to traverse to the other > site across the WAN rite?? And when i did some debug ip packet, the udp 136 > and or ofcourse the tcp138 and 139, was captured and dropped! at the > fastethernet interface and TR interface (i had place the ACL on both > fastether and TR) but when i place it on the serial, i dun see any udp 136 > at all!...i jus need some clarification from people at this forum here Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71233&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
>From my /etc/services... netbios-ns 137/tcp#NETBIOS Name Service netbios-ns 137/udp#NETBIOS Name Service netbios-dgm 138/tcp#NETBIOS Datagram Service netbios-dgm 138/udp#NETBIOS Datagram Service netbios-ssn 139/tcp#NETBIOS Session Service netbios-ssn 139/udp#NETBIOS Session Service I believe that these are the NetBIOS over TCP/IP instantiations so to speak. While NetBIOS can easily be run over IPX/SPX or even NetBeui, clearly a tcp/ip port number has to relevant in that case. [rant mode] I cannot blame you for the confusion as Priscilla mentioned that quite a few people somehow believe it is not. I think they are confusing it with NetBeui which techically has nothing to do with each other. (yes the name Netbeui means Netbios Extended User Interface, but still, technically nothing to do with each other in terms of NetBios functionality, it can ride over other network transports) I have had countless debates and arguments where people insisted they are bound to the hip or interchange their names like candy. Here is an interesting excerpt of some dialog I had at a startup I worked at years ago. Premise: When dealing with two separate LANs, as defined as Layer2 domains "Is it possible to get network neighborhood to work between the upstairs and the basement." - VP/Sales "Sure, we just need to bind Netbios over TCP/IP and make sure we can route over the two different networks. We might need to deal with WINS for seamless "naming" integration but it should work fine otherwise." - Carroll "You also will need NetBeui." - Other Tech Guy "[Trying to be nice]. No, sorry [Other Tech Guy], I am pretty sure you will not." - Carroll "Yes you do." - Other Tech Guy "[Still trying to be nice.]. Well, I do not think you do, since Netbeui is a transport protocol, and Netbios rides on top of any protocol it wants to. You already have TCP/IP as your transport, you do not need Netbeui, and on top of that, Netbeui will not cross over the LAN." - Carroll "You are wrong, you need Netbeui." - Other Tech Guy Trying the "wait, look there is a transport, you only need one angle". "But, if that was true, how come I can get a Unix box with Samba to work with a Windows machine. TCP/IP is the transport there, my Unix box has no concept of NetBeui yet it works." - Carroll "Look, Carroll, I have been in the ISP business for over 5 years, I think I know what I am doing." - Other Tech Guy Not that I could see the relevance of NetBeui in an ISP, just that he was clearly pushing his "move aside green horn" argument instead of trying to sensible attack the problem through theory. Well, since the other tech guy was "older" than me, and supposedly "far more experienced", they made sure Netbeui was on every machine. Sigh, I had other responsibilities rather than to go around proving him wrong. But experiences like these is what makes me say... - Check the theory and make sure it sounds right. - Check the practice, make sure it works right. - I don't care about your past experiences; technology moves so fast it invalidates so many "truisms" within months. The guy was wrong on 1, 2, and... for 3, he never had a truism to begin with, just a false sense of knowledge of the systems he worked with. As with those logical fallacies, does not matter how smart or how great your past work is, people can make mistakes. If you say something that is true in the "now", it is true. If you say something that is false in the "now" it is false regardless of your past history. > hi pple, well the reason why i ask this is because, recently i was told by > my network manager that there is a virus which uses netbios (udp 137, tcp > 138 and tcp 139) as a transport and had acrosses the WAN from a spoke site > to a hub site. And i was told to put an ACL by blocking the above port on > the fastethernet interface, well i was kind of confuse as in, i remember > that netbios arnt routable across the WAN, IF, and i mean IF there is really > such virus uses this ports, they shouldnt be able to traverse to the other > site across the WAN rite?? And when i did some debug ip packet, the udp 136 > and or ofcourse the tcp138 and 139, was captured and dropped! at the > fastethernet interface and TR interface (i had place the ACL on both > fastether and TR) but when i place it on the serial, i dun see any udp 136 > at all!...i jus need some clarification from people at this forum here -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71235&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
At 11:26 AM + 6/24/03, ericbrouwers wrote: >Is NetBIOS a protocol in the sense of ISO's OSI definition?? Not necessarily for ISO, but see RFC 1001 and 1002 for the IETF definition. > I never really >checked it. Originally it was a programming interface on IBM PCs. I did some >network programming with NetBIOS back in 1989... yes, old man... > >When I started reading commercial Cisco certification books, the authors >sometimes tried to convince me that it is a protocolWhatever, I'm not >going to >give a formal answer, but for those interested maybe give the following a >try. It's from IBM's TCP/IP Tutorial and Technical Overview, October 1998, >one of their famous redbooks (http://www.redbooks.ibm.com): > >"... >NetBIOS is a vendor-independant software interface (API), not a protocol. >There is no official NetBIOS specification, although in practice, the >NetBIOS version described in the IBM publication SC30-3587 LAN Technical >Reference: 802.2 and NetBIOS APIs is used as reference. >.." > >Have fun! >:-) >Eric Brouwers > >- Original Message ----- >From: "Priscilla Oppenheimer" >To: >Sent: Tuesday, June 24, 2003 3:50 AM >Subject: Re: netbios [7:71084] > > >> - jvd wrote: >> > >> > OT: >> > hi, i just have to say that i will never try to answer anything >> > on this forum again. :-) >> >> Well, would that be Grumpy, Bashful, Sleepy, or Dopey to do that? :-) >> Seriously, you should keep answering. You have sent some great answers, >but >> you don't want to keep insisting something when replying to my messages. >It >> makes me very Grumpy and I'm not Bashful when wielding a keyboard (just in >> person). I know lots of books claim that NetBIOS isn't routable, but I bet >> those exact same books also classify it as a session-layer protocol. And >it >> does make a good example of a session-layer protocol. One of the few that >we >> have! And if it runs at that layer, then it is routable. I think even IBM >> said it was a session-layer protocol in some of their early documents, >which >> unfortunately, I recently tossed. >> >> Directed broadcasts came from out of the blue. I really don't think >Windows >> networking uses them, although maybe it does. Was the comment maybe in >> reference to the helper address suggestion that I made? You can tell a >> router to send the packets when "it helps" as a broadcast. That's not a >> directed broadcast, though, and will work even if router forwarding of >> directed broadcasts is disabled, which is the default these days. Instead, >> it's a broadcast sent by the router (it has the router's IP address as >> source, on behalf of some other station, to a local LAN, because the >router >> is acting as a proxy, for example, a DHCP Relay Agent.) Was that a run-on >> sentence, or what? :-) >> >> A directed broadcast is directed from afar into a subnet. The sender >usually >> makes classful assumptions, since it can't actually know the local >> definition of a broadcast. It's used by ping scan to send a ping to >> 172.16.255.255, for example, in an attempt to ping everyone on network >> 172.16.0.0. Routers don't forward those these days because of the security >> risks. >> >> Back to NetBIOS. It does send a lot of broadcast traffic for naming >> purposes. In an IP environment, however, a host can be configured to send >> unicast naming queries and name registrations to a WINS server. There are >> probably lots of other issues, though. It really can be quite a pain to >get >> it to work correctly when you migrate from a small LAN to a larger >> internetwork with WANs, subnetting, VLANs, etc. >> >> >> I wonder what the original poster is really trying to do and where he can >> get a good Windows networking (internetworking) design guide. Cisco used >to >> have one, but it's probably way dated now >> >> >> Well, it's late and my writing is deteriorating. Howard covers directed >> broadcasts, by the way, (and a much better description of the OSI model, >> without reference to the dwarves, as I recall, although possibly with >> reference to the deadly sins) in his CertificationZone papers. I recommend > > them. >> >> Priscilla >> >> >> > >> > once i tried to answer a question with regards to bgp and a >> > 1720 router and only after howard helped us out was it clear >> > that the processor does play an important role. ;-) >> > >> > this time only after the input from priscilla is everybody >> > happy about the netbios/netbeui issue. ;-) >> > >> > but then i think what is important is that we dig a bit deeper >> > into some topics! >> > >> > Good work! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71239&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
j k wrote: > > hi pple, well the reason why i ask this is because, recently i > was told by my network manager that there is a virus which uses > netbios (udp 137, tcp 138 and tcp 139) as a transport and had > acrosses the WAN from a spoke site to a hub site. The NetBIOS ports are infamous targets for hackers and viruses. Yes, definitely close them up. > And i was > told to put an ACL by blocking the above port on the > fastethernet interface, well i was kind of confuse as in, i > remember that netbios arnt routable across the WAN, IF, and i > mean IF there is really such virus uses this ports, they > shouldnt be able to traverse to the other site across the WAN > rite?? Yes, they can traverse. They are carried in IP, so of course, they are routable. But the packets to UDP port 137 are usually broadcasts, and so they don't traverse without a helper address. > And when i did some debug ip packet, the udp 136 and or > ofcourse the tcp138 and 139, was captured and dropped! at the > fastethernet interface and TR interface (i had place the ACL on > both fastether and TR) but when i place it on the serial, i dun > see any udp 136 at all!...i jus need some clarification from > people at this forum here 136 is a typo? If the broadcast packets using port 137 don't get through, perhaps you won't see the 138 and 139. The session establishment won't work if the broadcasts don't work first. I would still block it. It can't hurt. They are infamous. And, of course it is routable. If you've read enough networking material to have heard that NetBIOS isn't routable then you must have some idea of what UDP and TCP do and what they run above and one of the main jobs of that protocol!?! Sorry, getting GRUMPY again. :-) Priscilla > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71269&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
annlee wrote: > > Since the original question related to virus and certain ports, > etc., here's > a good reference to keep an eye on: > > http://isc.incidents.org/ Great! There you have it. NetBIOS port 137 at the top of the list. Since broadcasts aren't carried across a router, the attackers don't send as broadcasts, as a real Windows station would. But who says the attackers have to behave like real stations? :-0 I'm sure most personal firewall default to blocking the NetBIOS ports. I think it's a good idea to block on global firewalls too. I wish I hadn't published my Windows troubleshooting information exclusively with a company that essentially swallowed it and made it disappear. Here's an excerpt from it, FYI. It was mostly written by my co-author, Joe Bardwell. The terminology of NetBIOS communication can be confusing. This is because the NetBIOS acronym has been used to describe more than one thing. NetBIOS refers to the programming interface in all implementations. In the NetBIOS/TCP environment, the term NetBIOS also refers to the portion of the packet that carries NetBIOS commands, replies, and data. In the NetBIOS/NetBEUI environment, the term NetBIOS refers only to the API, and the term NetBEUI refers to the protocol. In the NetBIOS/IPX environment, the term NetBIOS refers to both the API and to the protocol. To understand the details of terminology use, itÂ’s worthwhile to examine the three different frame structures for TCP, NetBEUI, and IPX. A Windows Internet Name Service Query Carried on UDP The NetBIOS/TCP implementation includes NetBIOS commands, replies, and data carried on both TCP and UDP. When a station wants to determine the IP address associated with a particular NetBIOS name, it sends a Windows Internet Name Service (WINS) query which is carried on top of UDP. In this case, there is no specific NetBIOS header in the packet, as seen in the following analyzer output. The packet simply carries a NetBIOS Name Service command directly above UDP. Ethernet Header Destination: FF:FF:FF:FF:FF:FF Ethernet Broadcast Source: 00:60:08:15:A6:9B Protocol Type:0x0800 IP IP Header - Internet Protocol Datagram Version: 4 Header Length:5 (20 bytes) Type of Service: % Precedence: Routine,Normal Delay,Normal Throughput,Normal Reliability Total Length: 78 Identifier: 43062 Fragmentation Flags: %000 May Fragment Last Fragment Fragment Offset: 0 (0 bytes) Time To Live: 128 Protocol: 17 UDP Header Checksum: 0x1781 Source IP Address:192.216.124.55 Dest. IP Address: 192.216.124.255 No IP Options UDP - User Datagram Protocol Source Port: 137 NETBIOS Name Service Destination Port: 137 Length: 58 Checksum: 0x8FD2 NetBIOS Name Service - Network Basic Input/Output System Identification: 0x883A Parameter:0x0110 Request Standard Query Recursion Desired Packet Was Broadcast Number of Questions: 1 Number of Answers:0 Number of Authority: 0 Number of Additional: 0 Query Domain Name:MIKE-PC Server Service Query Type: 32 NetBIOS General Name Service Query Class: 1 Internet Frame Check Sequence: 0x59DF750B A TCP NetBIOS Session Setup Request After determining the IP address of a target node, a NetBIOS/TCP station resolves the IP address to a data-link-layer address by sending an Address Resolution Protocol (ARP) frame. (The station uses the data-link-layer address of the Default Gateway for remote targets). Next, the station establishes a TCP session with the target in the normal manner with a TCP three-way handshake. Using the established TCP session, the originator must now create a NetBIOS session. The following packet is an example of a NetBIOS Session Setup request. Flags:0x00 Status: 0x01 Packet Length:130 Ethernet Header Destination: 00:40:95:96:30:07 Source: 00:60:08:15:A6:9B Protocol Type:0x0800 IP IP Header - Internet Protocol Datagram Version: 4 Header Length:5 (20 bytes) Type of Service: % Precedence: Routine, Normal Delay, Normal Throughput, Normal Reliability Total Length: 112 Identifier: 43830 Fragmentation Flags: %010 Do Not Fragment Last Fragment Fragment Offset: 0 (0 bytes) Time To Live: 128 Protocol: 6 TCP Header Checksum: 0xD53B Source IP Address:192.216.124.55 Dest. IP Address: 192.216.124.45 No IP Options TC
Re: netbios [7:71084]
ok great referrences, thanks everybody, keep the forum live!!! :-) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71312&t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]