Hi

From where the traffic initiated/ reason for this error. Why this netbios traffic to be broadcat.

Also the source and destinations are in the same interface.

Please siggest

Regards / Ramesh M

Hi,

The traffic is initiated from the host mentioned in the log message (10.145.0.66)  and the broadcast is naturally destined for the broadcast address (10.145.0.255) of that subnet as you can see from the log message also. The source and destination are naturally on the same network as broadcast traffic wont go beyond the first L3 hop (router hop) in the network.

I dont know the operation of Netbios enough to give you a good explanation but to my understanding in Windows host networks if no separate name server is used the operation is based on broadcast traffic.

In your case the ASA naturally sees this traffic as its broadcast traffic and drops it as expected.

- Jouni

Hi

Still I am gettng huge number of discard traffic,

Is any chance of port scanning/ attack/ botnet

Hi,

If you have your Windows host on a switch network and their gateway is the ASA then you will keep seeing these messages from multiple devices.

These messages are not port scanning. They are just typical broadcast traffic from the Windows hosts.

- Jouni

Hi,

Is it possible to disable the netbios port 137 and 138 on server. will it cause any impact.

Please suggest.

Regards / Ramesh M

Hello,

Are you using DHCP on your network?

You can do this via DHCP.

Or manually

1. From the Start menu, right-click My Computer, and then click Manage.
2. Expand System Tools, and then clear the Device Manager check box.
3. Right-click Device Manager, point to View, and then select Show hidden devices.
4. Expand Non-Plug and Play Drivers.
5. Right-click NetBios over TCP/IP, and then click Disable.

This disables the SMB direct host listener on

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com