I'm not sure why it would be look do this either. I'm not using WIN in my network? -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, August 04, 2005 1:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: What does this mean? http://www.ISAserver.org You need to learn to read the ISA logs. The details of what each log field mean are listed in the ISA help and online at http://support.microsoft.com/default.aspx?scid=kb;en-us;284818. source-ip == blocked ip. This means it came from your ISA param#1 == protocol == UDP param#2 == port == 137 UDP:137 is used for NetBIOS name resolution, which is attempted only when: - simple names are passed for lookups - DNS lookups fail - the host is making a WINS lookup Because this traffic is destined for a specific server, it's likely a WINS request. The question I then pose to you is "why are you usoing an external WINS server?" BTW, when you see similar traffic destined for ip.add.re.ss:UDP:137 and the destination IP is a broadcast IP, this is a NB broadcast. These can be stopped by applying this regvalue: HKLM\System\CurrentControlSet\NetBT\Parameters\NodeType, DWORD == 0x2 ..and reboot the ISA, you won't see these generated by the ISA itself any more. http://support.microsoft.com/?id=160177 refers. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- ________________________________________ From: adam.staub@xxxxxxxxxxxxxxxx [mailto:adam.staub@xxxxxxxxxxxxxxxx] Sent: Thursday, August 04, 2005 11:34 To: [ISAserver.org Discussion List] Subject: [isalist] What does this mean? http://www.ISAserver.org I'm Seeing the following in my IPFilter log: What does it mean? Is somebody looking for open shares? I'm 64.113.223.123 date time source-ip destination-ip protocol param#1 param#2 filter-rule interface 2005-08-04 18:26:03 64.113.223.123 66.49.202.206 Udp 1025 137 BLOCKED 64.113.223.123 2005-08-04 18:26:03 64.113.223.123 66.49.202.206 Udp 1025 137 BLOCKED 64.113.223.123 2005-08-04 18:26:05 64.113.223.123 66.49.202.206 Udp 1025 137 BLOCKED 64.113.223.123 2005-08-04 18:26:06 64.113.223.123 66.49.202.206 Udp 1025 137 BLOCKED 64.113.223.123 2005-08-04 18:26:08 64.113.223.123 66.49.202.206 Udp 1025 137 BLOCKED 64.113.223.123 Thanks, Adam ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: adam.staub@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ********************************************************************* Note: This E-mail and any attachments may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this E-mail and any attachments is strictly prohibited. If you have received this E-mail in error, please notify us immediately by returning it to the sender and deleting it from your computer system. Thank you for your cooperation. **********************************************************************