UDP port 137 Question

I noticed similar port 137 hits a while back, and after a bit of
investigating discovered that every time a colleague visited a web site
(using Netscape, incidentally) the server sent a port 137 request back to
the client PC.

Initially I thought this was a "helpful" MS extension in their server, but
have since seen port 137 hits from their nameservers as well. This probably
points to some interesting name lookups going on at there end, which results
in a NetBIOS name lookup being sent back. Somewhere I have the address of
the server in question - I'll dig it out if there is interest. If nothing
else, their hit count will go up :wink:


One interesting thing MS does is an extension of the resolver libraries.
For example, if I do a netstat -a to show all the connections on my server,
it will try and resolve the IP back to a name (reverse lookup via
in-addr.arpa). However, the extension is: If it can't resolve it via DNS,
it will attempt to look it up using NetBIOS name resolution lookups. If
its a Windoze environment (95, NT), the client will return its host name.

My guess on this one: Their hitting an NT webserver configured to log
names, not IP addresses, in the log file and the client machines don't have
IN-ADDR.ARPA entries.

Two other thoughts:

  1) Keep IN-ADDR.ARPA up to date
  2) Microsoft Internet Information Server only logs IP addresses, not names
given the historical slowness of reverse lookups and sloppy maintenance.
I never understood why forward and reverse maps were decoupled in DNS,
although I'm sure a good reason exists. Process Software Purveyor logs
by name (or did) and I'm not sure about Netscape's servers now.

My $0.02