13 Replies Latest reply: Dec 16, 2011 12:30 AM by Alberto Ravasio
kttri Level 1 Level 1 (0 points)

I just upgraded to Lion about a week ago.  I am running Norton Internet Security and noticed in the firewall that 2 ports are in listening mode for the application launchd for Windows File Sharing.  I have turn off all sharing services so im concerned why these ports would be listening.  I have also noticed that when i use my web browser (either safari or firefox) that launchd connects to the internet through port 138.

 

Through some google searching i have found that Netbios uses these 2 ports which i am guessing and hoping is the explanation.  I'm still confused though on what Netbios does (in non computer expert terms) and what the Netbios Datagram Distribution Service does on port 138.  Are there any security concerns with this or is this normal activity for Lion.

 

I was using Snow Leopard with Norton firewall and never noticed this activity which is why i am asking/concerned.

 

 

Genuis bar did not have a good answer for me so i'm hoping someone here has the expertise on this.

 

 

Thanks!!


iMac, Mac OS X (10.7.2)
  • 1. Re: Ports 137 & 138 on Lion
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    If you enabled File Sharing -> Share File and Folders using SMB (Windows) Lion start listening on port 445 for incoming connections.

     

    Have you got VMware, Parallels, VirtualBox running windows on your iMac?

  • 2. Re: Ports 137 & 138 on Lion
    kttri Level 1 Level 1 (0 points)

    I am not familiar with VMware parallels or virtual box so I am honestly not sure.  How would I know?

  • 3. Re: Ports 137 & 138 on Lion
    kttri Level 1 Level 1 (0 points)

    So i did some looking around as to what these are.

     

    I am not running Windows on my system or any windows alternative.

  • 4. Re: Ports 137 & 138 on Lion
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    Because you don't have any services enable under System Preferences -> Sharing, you should not have those ports open.

     

    If you open Terminal and type

     

    netstat -an -p tcp | grep LISTEN

     

    what do you get?

  • 5. Re: Ports 137 & 138 on Lion
    rkaufmann87 Level 8 Level 8 (42,145 points)

    kttri,

     

    The best advice I can offer is to follow Norton's instructions for removing their software from your system. Using antivirus software on an iMac is a waste of time, resources and possibly money. The reason being is there are zero as in none, nada, zip viruses for OS X. While there are some Trojans in the wild they are few and far between and differ from viruses in that they must be downloaded and installed by the user. While some can fool the unsophisticated if you use the rule of thumb of not downloading anything from a site you either don't know or trust then you will be safe. If you aren't sure then ask.

     

    If you still aren't convinced then uninstall Norton and download ClamXav which is free, up-to-date and non intrusive. While it still isn't necessary it will provide the peace of mind you seek. You can find ClamXav at:

     

    http://www.macupdate.com/app/mac/15850/clamxav

  • 6. Re: Ports 137 & 138 on Lion
    kttri Level 1 Level 1 (0 points)

    Here is what i got:

     

    tcp4       0      0  127.0.0.1.631          *.*                    LISTEN    

    tcp6       0      0  ::1.631                *.*                    LISTEN

     

     

     

    What does this mean?  Help!!

  • 7. Re: Ports 137 & 138 on Lion
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    It's OK.

     

    The only listening port is 631 that is CUPS aka Common Unix Printing System

     

    If you are curious

     

    http://localhost:631

  • 8. Re: Ports 137 & 138 on Lion
    kttri Level 1 Level 1 (0 points)

    Alberto, I appreciate your help on this!!!

     

    I'm still a little confused as to why it would show ports 137 & 138 listening?  Any thoughts?

     

    Also is there a way to turn this off?  I am not sharing my printer with anyone just one computer on the network.

     

     

    Thanks again!

  • 9. Re: Ports 137 & 138 on Lion
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    CUPS is a system service so don't care about it.

     

    I don't know why Symantec shows ports 137 and 138 in listening mode.

     

    The netstat you did, only revealed port 631 listening.

     

    Anyway I totally agree with rkaufmann87. Antivirus/Firewall on a Mac are a complete waste of resource, disk space and ultimately money.

     

    OS X has its own firewall and is more than sufficient for the average user.

  • 10. Re: Ports 137 & 138 on Lion
    kttri Level 1 Level 1 (0 points)

    I guess i'm just paranoid.  Its already paid for so i'll probably stick with it until the subscription runs out.

     

    What is weird is when i visit different websites the firewall shows that windows files sharing port 138 sometimes connects.  Not sure what it is connecting to?

     

     

    Is there a command or way to find out why it connects or to see what ports are open not just listening?

  • 11. Re: Ports 137 & 138 on Lion
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    Is there a command or way to find out why it connects or to see what ports are open not just listening?

     

    netstat is the way to go but I have to rectify the netstat syntax I gave you some posts ago

     

    netstat -an -p tcp

     

    only prints TCP connections and not UDP

     

    This one reveal the famous 137, 138 ports UDP that named this thread.

     

    netstat -an -f inet

     

    I don't know why Lion keeps those ports open even if Windows sharing is disabled

     

    If you want to see the host name instead of IPs

     

    netstat -aW -f inet

     

    and if you want to see IPv6 only connections

     

    netstat -aW -f inet6

  • 12. Re: Ports 137 & 138 on Lion
    kttri Level 1 Level 1 (0 points)

    Well it appears that the below are the culprits....

     

    udp4       0      0  *.netbios-dgm          *.*                              

    udp4       0      0  *.netbios-ns           *.*   

     

    Eventhough the norton firewall shows the netbios-dgm on port 138 connected when i look for the host name using the command you gave me it does not show it is connected to any address.

     

    Through some more google searching i found that netbios-dgm makes "connectionless" connections whatever that means.

     

    I'm not too sure what either of these do just hoping they are not harmful to my mac in any way.

     

     

    Thanks for  the help again Alberto!

  • 13. Re: Ports 137 & 138 on Lion
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    This is roughly what connectionless means

     

    http://en.m.wikipedia.org/wiki/Connectionless_protocol