port 137 broadcast, no smb running

Question

Level 2

325 points

port 137 broadcast, no smb running

Near as I can read my router logs, my Mac Mini running Tiger (fully updated) with no virtual PC or anything similar is pounding on my internal lan. broadcasting on port 137 (netbios) udp three times a second.

(My ISP set my router to reject smb outbound, which does not bother me at all.)

I have no (0) machines on the internal lan running MSWindows. I have tried to get wine running on my AMD Linux/BSD box, but that box is powered down right now. This seems to be a recent phenomenon, since I updated the OS last.

I think I may have had smb enabled at one point about a week ago when I had a Linux laptop here from work that had smb sharing enabled on it.

I have never had such things from my older iBook.

Any idea why this would be happening?

iBook tangerine, Mac OS X (10.2.x), no intel

Posted on Mar 27, 2006 5:39 PM

Reply

Answer 1

Tim Haigh

Level 7

24,198 points

Mar 27, 2006 5:48 PM in response to Joel Rees

I can detect what application or a background process is dialing out of my my mac mini on any port as I have a great utlity on my mini called Little Snitch. Little Snitch is an application aware firewall ththat detects all abound network activity, give it a try.

Reply

Answer 2

Joel Rees Author

Level 2

325 points

Mar 28, 2006 2:13 PM in response to Tim Haigh

I don't care to load my machines with shareware.

I used tcpdump and top and a lot of patience and got a few glimpss of nmblookup doing the broadcast. To go any farther, I'll need to write a short endless loop script to watch the output of ps and grab the parent process id, I suppose.

I'm thinking (hoping?) that it might be the drivers for my epson printer, that I loaded in the mini recently, interacting in some strange way with Bonjour on Tiger.

Reply

Answer 3

Tim Haigh

Level 7

24,198 points

Mar 28, 2006 2:44 PM in response to Joel Rees

Those UNIX tools your prepared to use are good and I use them myself. But little snitch may be the fastest way to isolate the process that is causing your issue.

I don't care to load my machines with shareware.

One would think you look down upon shareware as if it is not very good. You seem to be putting shareware down. It appears to me that your dismissing my suggestion with that comment also.

I only recommend software that I have fully evaluated and used myself. Some of the most invaluable applications and utilies I use on my mac are Shareware. I also use a lot of opensource software as well.

Reply

Answer 4

Joel Rees Author

Level 2

325 points

Mar 28, 2006 4:50 PM in response to Joel Rees

After watching my logs and playing with tcpdump and top and rebooting a couple of times to see what order things happen in, I've been able to determine that the broadcasts do not start until I have run mail once.

I am not sure if it is just this user or the mail app, I suppose I should check this user's proeferences for mail before I switch back to the admin user to see if I can catch the parent process id and pin the tail on this donkey.

Reply

Answer 5

Joel Rees Author

Level 2

325 points

Mar 28, 2006 6:02 PM in response to Joel Rees

I've run mail several times after this last boot, and I'm not getting the broadcasts.

So, I'm beginning to get paranoid and imagine things like a trojan, with the author monitoring Apple's forii. Or, maybe spam containing HTML that has a link that tries to hit the local network on the samba port, and I just happened not to hit that spam and open it this time as I scanned through the spam box to make sure I wasn't getting any important false positives?

butsubutsubutsubutsu

Reply

Answer 6

Joel Rees Author

Level 2

325 points

Mar 28, 2006 7:29 PM in response to Joel Rees

Okay, now I know. Directory services is the parent of nmblookup, which means that nmblookup is not being called by some unknown daemon.

Tools used? something like

top

sudo tcpdump -vvv -XX -i en0 port 137

while [ 1 ] ; do ps wwalx | grep [m]blookup ; done;

each in its own terminal window. If I'd looked in man and used the "l" option to ps last night instead of the one I've had a habit of using, I'd have known the parent process already.

This leaves me with the question of why DirectoryServices should be calling nmblookup when I have smb shut down completely, as far as I know, but web searches last night and today don't seem to reveal any particular reason.

Rendezvous/zeroconf/Bonjour?

Reply