Lion and Netbiosd

Yeah, I have the same issue.

@Marc Wilson

Seems you are not interested in this problem. So why do you answer?

I´m using Little Snitch and got a message today that netbiosd tried to connect to 10.37.129.255 on port 137 (netbiosd-ns).Netbiosd is part of the BSD system. The first line of the description says: "netbiosd is responsible for interacting with NetBIOS networks".

So far I´m not sure if one needs netbiosd or not.

My imac is trying to connect to the same ip address (10.37.129.255). I denied the connect via Little Snitch and we'll see what effect it has.

my Littlesnitch alert me three times:

1- On 14-gen-2013, netbiosd tried to establish a connection to user-pc on port 139 (netbios-ssn). The request was denied via connection alert.

2-On 14-gen-2013, netbiosd tried to establish a connection to user-pc on port 445 (microsoft-ds). The request was denied via connection alert.

3-On 06-feb-2013, netbiosd tried to establish a connection to 192.168.0.255 on port 137 (netbios-ns). The request was denied automatically during login.

I blocked any connection.

George

Same here. Blocked here too. Apple installed this, Apple needs to drop the word on what this is. So, Apple?

Marc, before you even bother, troll elsewhere. I don't care.

LittleSnitch flagged it as trying to connect to another computer on my Wi-fi network. Said computer is a Windows machine, and once I blocked netbiosd I can no longer see that computer in Finder. Not sure if this helps anyone, but my guess is that netbiosd is meant to help Apple computers talk to Windows machines.

Network Basic Input/Output System.

NetBIOS is a communication protocol, sort of a languace that computeres talk to each other in. What disturbs me is that at least some communications seem to go directly out through this process and not the respective processes that initiated tem.

That means NetBIOSd (the process not protocoll) appears to have devolved (from a firewall/net security point of view) to be a method of bypassing your firewall, it seems that certain applications can ask NetBIOS to ping locations on it's behalf... I do not know whether they are actually able to send data or not but according to the specification of the protocol itself they should be able to. Even if they cannot, at the very least they can 'know' that they have been firewalled by using NetBIOS to ping the location other behalf and seeing if it unreacheable too.

Due to the fact that NetBIOS is a Unix/BSD method of achieving said way, and was probably left in to make the Network Utility backend and not much else, I am inclined to block it. If any application whatsoever can make a connection via this daemon without the connection being traced back to that application, then a malicious application/user can most probably take advantage of it to contact a remote network once seeded/send out important user information/do any host of malicious things, all whilst looking like a humble part of the OSX system.

This is very much the problem that I used to have in Windows with Services all being hosted as multiple svchost processes... very much destroying your ability to destroy them as you see fit in the event of a virus threat... not to mention COM events, which did just this and allowed applications to ask windows to do things on it's behalf. Many a good virus shut your system down using COM (as in locked you out) the moment they got hands on elevated priviledges.

Thanks for that great info.

everytime I see (microsoft-ds) I block it forever - keeps showing different port - and each time I get (netbios-ssn) or (netbios-ns) I block until quit - just in case.

Everything works fine so I am going to assume its some kind of "sniffer" (introduced as a "useful" tool)

From now on I shall block all permanently - see how it goes - I will report back if it gives problems.

Little Snitch is one GREAT APP - very happy buyer!

I just encountered this today, but in my case Netbios wanted to contact forum.techhive.com!!! Safari was open but with no tabs loaded, and no other browsers were open. Why the %$*& does my OS want to connect to techhive's forum? I am not a user of Techhive's forum, and never visit it delivberately. I may have ended up there after a google search at some point yesterday (more than 12 hours ago - why is Netbios doing it's thing now?!).

Stumbled across this thread and am intrigued. I have little snitch installed and also allow Netbios on my local LAN to talk to Windows machines/shares. I permantly block it inbound.

However, really weird thing happened just 30 minutes ago. I am on holiday in Portugal, using Hotel Wifi, standard Open Wifi with proxy sever asking you for username and password. Booted Mac up and Netbiosd tried to connect 3 times (I blocked it once every time to see how many times it tried) to:

25.124.134.185 - port 445

Which is a Ministry of Defence IP address, I used RIPE to look it up.

This kind of freaked me out, as I am an I.T. consultant who is very aware of any suspicious traffic.

My Mac has never done this before in the previous 3 years I have had it and I have travelled a bit with it.

Is there any way I can dig into the NetBiosd process to see what it was trying to do talking to a MOD IP address??

Adrian.

I just got the same message as I was booting up Parallels. Is it that Windows or Parallels is trying to set up communication between my Mac OS and Windows?

Graham I am getting the same netbiosd request as you (microsoft-ds). I would be very interested to hear the result of your block all action in this matter. As I am inclined to do the same but shall wait for your research. Thanks

I am having a problem with connecting to the internet on my Mac mini, ATV2 & iPhone 5. All on one network though, my iPhone is connecting to my home and other networks just fine. I ran netstat in network utility and there's an active established internet connection to an ip address with .microsoft-ds on the end, this is what led me here. I have no idea how to handle this and find it difficult to follow some of the comments. If you wouldn't mind helping me I'd appreciate that and will post whatever you'd need to help me with this.? Before everything stopped working I was able to upload files to Pogoplug cloud but couldn't get my magicjack to work or connect to safari. That was very strange but now nothing connects, at least on my side. According to network utility there is a connection and it looks like it's working great but I can't do anything. This is starting to worry me, I've done all the troubleshooting steps recommended by Apple. Right now I'm making a backup of the mini and plan on doing a full wipe if I don't get it resolved through the support community. All my software is up to date running 10.9. The network I'm on is an open network at my work. The router or gateway is "AMBIT Broadband" and the provider is Time Warner.

Hope to hear back

This is a little old, but as I came across it looking for something else, thought I'd chime in...

Netbios was a network computer/file sharing protocol used by Microsoft and IBM networks TCP/IP was much beyond the a few research labs. Netbios-over-TCP was a step up which allowed for routing over subnets (strict Netbios doesn't) and a few other features we take for granted when networks span more than just a single office. Netbiosd is part of the the BSD/Linux/Mac OS X implementation of this and is used primarily for talking to Windows based sharing services.

Part of the Netbios specification is that every so often, a computer on your local network (or that can be easily routed to you) sends out a broadcast "Hey I'm Here!" message... this is how you see computers listed when you Browse for local file servers, etc.

Now, I can't say for certain about the public IP addresses listed by some of you above, but I can say that anything in one of the following ranges is considered private (i.e. limitted to behind a firewall and not routed outside of your immediate network):

10.0.0.0 through 10.255.255.255

169.254.0.0 through 169.254.255.255

172.16.0.0 through 172.31.255.255

192.168.0.0 through 192.168.255.255

I've seen a few going out to 10.37.129.255, which indicates that my machine is broadcasting to the 10.37.129.0/24 network that it exists... a little digging, and sure enough, 10.37.129.2 is the IP address for one of my Parallels virtual interfaces... so it is the Mac side of the Parallels network interface that is notifying the rest of my network that it can recognize Netbios information.

Now, if you never access Windows file servers or printers, you can safely block the process entirely and never look back. However, if you do access Windows based network services from your Mac, you may find that you can no longer browse directly to them but have to access them by IP address (smb://10.0.1.4/Files as opposed to smb://WindowsServer/Files, for example). However, you should still be able to share fine. If you can identify your specific local networks (usually in one of the ranges above), you can allow the process for those IPs, and block it for all else, but I'm not sure if LittleSnitch supports that yet (just got it a few days back). I know the built in IP based firewall can be set up to block it adn allow only specific address ranges to work.

So, hope that helps some... like I said, not sure about the 1 or 2 address mentioned above that are public, but thought I'd share.

--

A-Ron

So... it's safe to block and doesn't really

Thank you.