13 Replies Latest reply: Dec 16, 2011 12:30 AM by Alberto Ravasio
kttri Level 1 Level 1 (0 points)

I just upgraded to Lion about a week ago.  I am running Norton Internet Security and noticed in the firewall that 2 ports are in listening mode for the application launchd for Windows File Sharing.  I have turn off all sharing services so im concerned why these ports would be listening.  I have also noticed that when i use my web browser (either safari or firefox) that launchd connects to the internet through port 138.


Through some google searching i have found that Netbios uses these 2 ports which i am guessing and hoping is the explanation.  I'm still confused though on what Netbios does (in non computer expert terms) and what the Netbios Datagram Distribution Service does on port 138.  Are there any security concerns with this or is this normal activity for Lion.


I was using Snow Leopard with Norton firewall and never noticed this activity which is why i am asking/concerned.



Genuis bar did not have a good answer for me so i'm hoping someone here has the expertise on this.




iMac, Mac OS X (10.7.2)
  • Alberto Ravasio Level 4 Level 4 (3,600 points)

    If you enabled File Sharing -> Share File and Folders using SMB (Windows) Lion start listening on port 445 for incoming connections.


    Have you got VMware, Parallels, VirtualBox running windows on your iMac?

  • kttri Level 1 Level 1 (0 points)

    I am not familiar with VMware parallels or virtual box so I am honestly not sure.  How would I know?

  • kttri Level 1 Level 1 (0 points)

    So i did some looking around as to what these are.


    I am not running Windows on my system or any windows alternative.

  • Alberto Ravasio Level 4 Level 4 (3,600 points)

    Because you don't have any services enable under System Preferences -> Sharing, you should not have those ports open.


    If you open Terminal and type


    netstat -an -p tcp | grep LISTEN


    what do you get?

  • rkaufmann87 Level 8 Level 8 (48,130 points)



    The best advice I can offer is to follow Norton's instructions for removing their software from your system. Using antivirus software on an iMac is a waste of time, resources and possibly money. The reason being is there are zero as in none, nada, zip viruses for OS X. While there are some Trojans in the wild they are few and far between and differ from viruses in that they must be downloaded and installed by the user. While some can fool the unsophisticated if you use the rule of thumb of not downloading anything from a site you either don't know or trust then you will be safe. If you aren't sure then ask.


    If you still aren't convinced then uninstall Norton and download ClamXav which is free, up-to-date and non intrusive. While it still isn't necessary it will provide the peace of mind you seek. You can find ClamXav at:



  • kttri Level 1 Level 1 (0 points)

    Here is what i got:


    tcp4       0      0          *.*                    LISTEN    

    tcp6       0      0  ::1.631                *.*                    LISTEN




    What does this mean?  Help!!

  • Alberto Ravasio Level 4 Level 4 (3,600 points)

    It's OK.


    The only listening port is 631 that is CUPS aka Common Unix Printing System


    If you are curious



  • kttri Level 1 Level 1 (0 points)

    Alberto, I appreciate your help on this!!!


    I'm still a little confused as to why it would show ports 137 & 138 listening?  Any thoughts?


    Also is there a way to turn this off?  I am not sharing my printer with anyone just one computer on the network.



    Thanks again!

  • Alberto Ravasio Level 4 Level 4 (3,600 points)

    CUPS is a system service so don't care about it.


    I don't know why Symantec shows ports 137 and 138 in listening mode.


    The netstat you did, only revealed port 631 listening.


    Anyway I totally agree with rkaufmann87. Antivirus/Firewall on a Mac are a complete waste of resource, disk space and ultimately money.


    OS X has its own firewall and is more than sufficient for the average user.

  • kttri Level 1 Level 1 (0 points)

    I guess i'm just paranoid.  Its already paid for so i'll probably stick with it until the subscription runs out.


    What is weird is when i visit different websites the firewall shows that windows files sharing port 138 sometimes connects.  Not sure what it is connecting to?



    Is there a command or way to find out why it connects or to see what ports are open not just listening?

  • Alberto Ravasio Level 4 Level 4 (3,600 points)

    Is there a command or way to find out why it connects or to see what ports are open not just listening?


    netstat is the way to go but I have to rectify the netstat syntax I gave you some posts ago


    netstat -an -p tcp


    only prints TCP connections and not UDP


    This one reveal the famous 137, 138 ports UDP that named this thread.


    netstat -an -f inet


    I don't know why Lion keeps those ports open even if Windows sharing is disabled


    If you want to see the host name instead of IPs


    netstat -aW -f inet


    and if you want to see IPv6 only connections


    netstat -aW -f inet6

  • kttri Level 1 Level 1 (0 points)

    Well it appears that the below are the culprits....


    udp4       0      0  *.netbios-dgm          *.*                              

    udp4       0      0  *.netbios-ns           *.*   


    Eventhough the norton firewall shows the netbios-dgm on port 138 connected when i look for the host name using the command you gave me it does not show it is connected to any address.


    Through some more google searching i found that netbios-dgm makes "connectionless" connections whatever that means.


    I'm not too sure what either of these do just hoping they are not harmful to my mac in any way.



    Thanks for  the help again Alberto!

  • Alberto Ravasio Level 4 Level 4 (3,600 points)

    This is roughly what connectionless means