DC sending lots of random netbios UDP packets?!

[Guest Usenet]

I've swapped over a firewall this morning.

 

The new brick has much more/better logging than the previous one.

 

Our internal IP range is 10.x.x.x and I'm seeing loads of netbios

tcp/udp traffic being blocked by the firewall that is for all manner of

destinations i.e. 192.168.x.x, 172.22.100.x, 100.0.0.254 and so on.

 

We don't use any of those ranges, and the DC is the only machine that is

doing this.

 

I've ran lots of virus scans and I believe I've ruled out any sort of

trojan/infection etc. and if it were a "nasty" I don't think I'd be

seeing so much for the 192.168.x.x ranges.

 

Any suggestions on what on earth may be going on would be welcome.

 

The machine is our PDC Emulator/FSMO master and is Windows 2003 R2

running on a HP DL360 G4 with PSP 8.x installed and the two NICs teamed.

 

I have been running tcpview and have run several spyware/trojan/rootkit

tools and they all come back clean.

 

I'm convinced this is some function specific to the fact that it's a

domain controller as the firewall would log anything else and we have

too many desktops and servers here for me to think it's co-incidence

that it's the DC.

 

All the dropped requests are netbios-udp and nothing is netbios-tcp.

 

Sample IP addresses are:

 

172.22.100.103

202.250.33.5

100.0.0.254

192.168.x.x

 

Most of these IPs are either private, or come back as being reserved,

which makes me suspect it's responding to broadcasts from bits of

network kit such as switches that have been "dropped" into our network

without having been configured away from the factory defaults.

 

Questions is does that sound correct, and other than a lengthy tracking

down process, is there any way around it?