Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn more about our patch management solution.

 

Home > Success Center > Network Performance Monitor (NPM) > Disable Netbios UDP 137 traffic

Disable Netbios UDP 137 traffic

Table of contents
Created by Malik Haider, last modified by Kevin Twomey on Jan 18, 2017

Views: 386 Votes: 2 Revisions: 10

Overview

This article describes the topic about how Orion server uses Netbios (UDP 137) port to reach out to all the devices that are monitored by the Orion. There is an option to disable NetBios Over TCP/IP protocol and write an LMHOSTS  file for the servers that need to be resolved using NB names. By doing so, it prevents NetBios Lookup Query to try and go through your firewall.

 

**Note NetBios lookups will happen from the Orion engine before a DNS lookup. Also note DNS lookups will only reach out to the first DNS server (Primary DNS) it can reach. This is important to note in case DNS replication is not setup properly and some hosts will not resolve via the primary DNS server.

 

That's pretty much what I expected with NTA. NTA will take any netflow data that is being sent to it from your layer 3 devices, record the Source and Destination IPs in the flow data, then attempt to resolve the names of those IPs (whether they are valid or not) through DNS and NetBios for display in the web console. It doesn't attempt to confirm whether the IPs are real or not, only that it is seeing it within the flow packets themselves.

 

The correction to a point however pertains to this: NTA must be configured to allow the NetBios requests to be initiated and for it to be concurrent, it must be set to Persistent name resolution in the NTA settings. Easiest way to confirm is to go to NTA Settings, scroll down to DNS and NetBIOS Resolution and see if Enable
NetBIOS resolution of endpoints is checked. Likely as well, the setting for DNS Resolution Option is set to Persistent as well.

 

Collects flow packets > parses source\destination IPs in convos > stores the IPs > queues them for name resolution > issues resolution through DNS\LLMNR for everything configured on the server (DNS servers, etc) > issues netbios lookup to whatever it can reach to resolve naming through that method (if enabled) > awaits response > stores name upon return.

 

We unfortunately do not have any white sheet documentation stating this exact process, at least nothing that we can release, but if it comes into question whether this is intended design I can confirm and I can indicate in the admin guide that NTA can and does attempt naming resolution through NetBIOS.

 

I'd say your next method to test is to check the NTA Settings page, disable NetBios resolution if it's enabled, then see what happens when you restart the service.

Environment

All versions of NPM 

Steps

  1.  Go to the Control Panel > Network and Sharing Center> Manage Network Connections.
    Please be sure to disable on the NIC used by the Orion engine in case you have multiple NIC's.
  2.  Select the Interface and then right-click Properties. 

 

 

NetBios+over+TCPIP.jpg

 

Check NTA Settings to make sure NetBIOS is disabled:

 

For more details, see the Thwack post below:

 

 

 

Last modified
04:46, 18 Jan 2017

Tags

Classifications

Public