In comp.os.linux.networking, news@celticbear.com wrote:

> I noticed a whole lot of traffic going on one of our subnets, and
> brought up the IPCop (IDS/firewall/router PC) log summary, and found
> this section:
>
> Logged 832 packets on interface eth1
> From 192.168.2.2 - 392 packets
> To 192.168.2.1 - 219 packets
> Service: domain (udp/53) (INPUT,eth1,none) - 219 packets
> To 192.168.2.7 - 170 packets
> Service: netbios-dgm (udp/138) (INPUT,eth1,none) - 170
> packets
> --snip--
> From 192.168.2.3 - 440 packets
> To 192.168.0.9 - 10 packets
> Service: axon-lm (tcp/1548) (NEW not SYN?,eth1,eth0) - 10
> packets
> To 192.168.2.1 - 117 packets
> Service: domain (udp/53) (INPUT,eth1,none) - 117 packets
> To 192.168.2.7 - 313 packets
> Service: netbios-ns (udp/137) (INPUT,eth1,none) - 84 packets
> Service: netbios-dgm (udp/138) (INPUT,eth1,none) - 229
> packets
>
> 192.168.2.2 is our file server
> 192.168.2.3 is our internal Web server
> 192.168.2.1 is the IPCop machine's NIC
> 192.168.2.7 is the broadcast IP for the subnet
>
> Why in the world are the two servers sending so much traffic to the
> broadcast IP?!

Given the target ports of those packets, my guess is that you have SMB
servers running on 192.168.2.2 and 192.168.2.3, and they are performing the
requisite scan of your network for SMB client machines and SMB domain
controllers. netbios-ns is the SMB "Name server" port that lets client SMB
systems determine SMB network names, while netbios-dgm is the SMB datagram
port.



--
Lew Pitcher

Master Codewright & JOAT-in-training | Registered Linux User #112576
http://pitcher.digitalfreehold.ca/ | GPG public key available by request
---------- Slackware - Because I know what I'm doing. ------