Odd Port 139 Behavior

Hi everyone,
I've been running in to some trouble with my university's IT department. They say that my Mac Mini (1.66GHz CoreDuo) has times when it's trying to connect to something via port 139 (netbios-ssn). They claim that it averages over 1 attempt per second. However, in all of my snooping, using Activity Monitor, Network Utility, and Little Snitch, I've never noticed anything odd. I do admit that I might not be observing it at the correct times, but I would like to get to the bottom of this. Currently my IT department has my computer "quarantined" and won't authorize it to access the network again until I can sort this out.
Have any of you heard of something like this before (the 139 connection attempts)?
Any help is GREATLY appreciated.
Thanks,
Dave DeLong

At least for me, anytime I use a file dialog I get a message from little snitch telling me that it's trying to connect to port 139 - so any time I try to open or save a document, etc. Little Snitch tells me that the program I'm using is trying to connect via port 139.
Same for when I try to choose a network printer.
The snitch tells me about connect attempts over port 139 quite often, but not once per second.
Finder is doubtless doing its own queries to "discover" what's out there on the network.
I have a hard time believing it's even an issue, as every Mac, Linux, and Unix box that tries to connect to the windows shares on the network are going to have similar behavior. The Engineering department alone would be *+up in arms+* over such a policy. **** hath no fury like a few dozen EE students whose computers are banned.
First because it's asinine - a connection attempt over port 139 is fairly innocent; you have to discover what's on the CIFS/SMB (ie. Windows shares) network somehow. Pretty much every non-Microsoft device (including Macs) that can access Windows shares uses "samba", which can be set to periodically ping the network to discover shares on the network. The whole point is so things "plug and play" without the IT manager having to do anything.
SMB/CIFS is a very chatty protocol to begin with...

Similar Messages

  • Odd Calc Order Behavior

    Hello all,
    I've put together a hybrid analysis cube and I'm experiencing some odd calc order behavior. It appears the years are calculating backwards.
    I load my 2007 end balances and calc forward three years. 2008 is correct, but 2009 and 2010 are incorrect. They are incorrect inasmuch as the calcs that require 2008/2009 end balances are incorrect. So I run the script again and now 2009 is right, but 2010 is incorrect. Then I run it once more and 2010 is correct.
    It appears the end balances for 2008 and 2009 aren't available for 2009 and 2010, respectively. Thus, I think 2010 is calcing first, but with no 2009 end bals, so it's off. Then 2009 goes, again no end bals, so it's off. Then 2008 calcs, and since 2007 end bals are in there, it's calcing correctly. Thus, I have to calc again two times for 2009 and 2010 to be correct.
    Here's my script:
    Fix (@IRSiblings("2008"),"ScenarioMbr")
    CALC ALL EXCEPT DIM("Years","Scenario");
    Endfix
    ScenarioMbr is a level 0 descendant of the Scenario dimension.
    Thanks for any help anyone has.

    I would suggest checking on your outline order. It sounds like your ending balance hasn't been calculated by the time the beginning balance needs it (as evidenced by your three passes). The order of members in your FIX statement has no bearing on the calculation order. By this, I mean make sure that your Years dimension is ordered as follows...
    Years
    + 2007
    + 2008
    + 2009
    + 2010
    Also, make sure that your periods (where your months are is, assuming it is a different dimension) is located above your Years dimension.
    Lastly, how are you facilitating getting your Ending balances into your Beginning balances? Sometimes the sequencing for this type of work is improtant as well. For example, if your Ending Balance is a two-pass, it will not be ready until a second pass is done.
    IF this doesn't help, maybe provide one of the BegBal members that isn't working, your outline order, the order of the Years dimension, and the dense/sparse settings (assuming BSO).
    Good Luck!!

  • Odd Junk Mail Behavior

    I've been experiencing odd Junk Mail behavior on my Mac; I've got the Mail app set so it puts the emails it thinks is Junk in the Junk folder. I do this because I've noticed that certain legitimate emails keep ending up in the Junk folder automatically.
    I've also noticed that some of the emails in the Junk folder have not actually been flagged as Junk Mail, they were not colored brown by the Junk Mail rule and there is no button available to tell Mail it's not Junk. How do I stop Mail from flagging something as Junk when it doesn't seem to tag it as Junk but it still ends up in the Junk folder?
    I see emails tagged as Junk in the Junk folder that are legit, so I click the "Not Junk" button and move them back to the proper mail folder. But the next time I get mail from the same source, it gets flagged and tagged as Junk again. I thought the Mail app learns from the training we give it. How do I resolve this situation?
    I've already set the Junk filtering to not filter emails from recipients who are in my Address Book.

    Either you’ve messed with the Preferences > Junk Mail > Advanced settings, or those settings have become corrupt, or you have one or more rules that have a bearing on this.
    Assuming it isn’t the latter, try this:
    1. Go to Preferences > Junk Mail, disable junk mail filtering, then enable it again. This resets the rule that governs what the junk filter does.
    2. Choose either Training or Automatic mode (it doesn’t matter) and leave the other options checked. Click Advanced to see how the junk filter rule is defined now if you want, but don’t touch anything there.
    3. Reset the junk filter database (Preferences > Junk Mail > Reset).

  • Ports 139 and 445 dangerous on Mac OS X?

    I have a Mac OS X iBook that is sharing files with Windows XP PC using SMB.
    When I start up my Mac the Norton Firewall ask me whether or not I want ports 139 and 445 to connect.
    I know that port 139 should not be open for a Windows computer because of the NetBIOS component.
    Are ports 139 and 445 dangerous for a Mac?
    iBook G4   Mac OS X (10.4.3)  

    You may want to create an item in /Library/StartupItems.
    See the following links for information:
    http://developer.apple.com/techpubs/macosx/Essentials/SystemOverview/BootingLogin/Customization_Techniques.html
    http://developer.apple.com/techpubs/macosx/Darwin/howto/system_starter_howto/system_starter_howto.html
    http://developer.apple.com/techpubs/macosx/Essentials/SystemOverview/BootingLogin/The_Boot_Sequence.html
    I have not tried this as yet.

  • Smbclient wants to connect to TCP port 139

    On my Powerbook, using Little Snitch under certain conditions (undetermined) I get the following message repeatedly, I am not connected to a network (except for Airport) or printer:
    The application "smbclient" wants to connect to 192.168.131.65 on TCP port 139 (netbios-ssn)
    What is this all about - thanks.
    PB G4 Al 17"    

    Airport is as much of a network as Ethernet is. Port 139 is the normal port for SMB connections. (At the terminal, try "grep 139 /etc/services".) What you want to do is figure out where your Powerbook was connecting to a Windows file or printer server on network 192.168.0.0 or 192.168.131.0. Are either of those the network address for your Airport network? You can see this in your Network settings.
    Login Items is the first place to look for an alias that might trigger an automated mount, but another application (other than the Finder) could be looking for a file server, too (as another posted mentioned). You could try to grep for "192.168.131.65" in all the files in your Preferences folder, except if you have 10.4 they might all be binary now and you'd have to convert them to xml text first, using plutil (again in Terminal).

  • E4200 How to close port 139 ?

    So finally that my e4200 is capable of disabling wps i run in to another question.
    how to close ports 139 445 ?
    these are open by default and i didnt figure out how to close them, in browser setup..
    and YES port 139 IS a security issue. people denying this, are the same, that denied any vulnearibilties to wps.

    Well, in the router set up we can only open the port for any specific application. But there is no way in the router management page where we can close any specific ports for specific purpose.

  • How to close ports 139, 8290, and 10002

    Is there anyway to close ports 139, 8290 and 10002 off a networked  HP 2820? I work at a university and my department has been asked to closethese ports.  is there any way to close these ports and still continue to print on both Mac and Windows platforms?
    thanks for any advice. 

    Well, in the router set up we can only open the port for any specific application. But there is no way in the router management page where we can close any specific ports for specific purpose.

  • Leopard sends outgoing messages to OpenDNS on port 139

    I noticed in some other threads comments about new outgoing network communications in Leopard that people were noticing in their router logs, Little Snitch, etc.
    One example...
    Every 5 minutes OS X 10.5 sends several packets to 208.69.32.137:139 (protocol 6).
    This is a TCP transmission to OpenDNS.com and appears to be related to the parental controls adult blocking feature. If adult blocking is turned off in System preferences, these packets go away.

    Can someone shed some light on why the repeated attempted accesses to OpenDNS.com on port 139 are necessary?
    I tested the adult blocking feature, while keeping outgoing port 139 blocked. Safari shows a custom OpenDNS page and gives the option to white list the page (with an administrator password of course). My router (via syslog) confirms the successful adult blocking. Also shown are the port 139 attempts:
    Nov 6 10:14:42 192.168.0.1 Tue Nov 06 10: 14:47 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49680 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:42 192.168.0.1 Tue Nov 06 10: 14:47 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49681 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:43 192.168.0.1 Tue Nov 06 10: 14:48 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49680 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:43 192.168.0.1 Tue Nov 06 10: 14:48 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49681 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:44 192.168.0.1 Tue Nov 06 10: 14:49 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49680 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:44 192.168.0.1 Tue Nov 06 10: 14:49 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49681 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:45 192.168.0.1 Tue Nov 06 10: 14:50 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49680 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:45 192.168.0.1 Tue Nov 06 10: 14:50 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49681 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:46 192.168.0.1 Tue Nov 06 10: 14:51 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49680 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:46 192.168.0.1 Tue Nov 06 10: 14:51 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49681 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:47 192.168.0.1 Tue Nov 06 10: 14:52 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49680 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:47 192.168.0.1 Tue Nov 06 10: 14:52 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49681 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:49 192.168.0.1 Tue Nov 06 10: 14:54 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49680 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:49 192.168.0.1 Tue Nov 06 10: 14:54 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49681 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:53 192.168.0.1 Tue Nov 06 10: 14:58 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49680 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:14:53 192.168.0.1 Tue Nov 06 10: 14:58 2007 D-Link System Log: Internet access port filter dropped packet from 192.168.0.123:49681 to 208.69.32.137:139 (protocol 6)
    Nov 6 10:15:21 192.168.0.1 Tue Nov 06 10: 15:26 2007 D-Link System Log: Web site playboy.com/ accessed from 192.168.0.123
    Nov 6 10:15:22 192.168.0.1 Tue Nov 06 10: 15:26 2007 D-Link System Log: Web site block.opendns.com/?url=8177669067809015688078&ablock accessed from 192.168.0.123
    Nov 6 10:15:22 192.168.0.1 Tue Nov 06 10: 15:26 2007 D-Link System Log: Web site block.opendns.com/controller.php?view=blocked_domain&url=817766906 accessed from 192.168.0.123
    Nov 6 10:15:22 192.168.0.1 Tue Nov 06 10: 15:26 2007 D-Link System Log: Web site block.opendns.com/favicon.ico accessed from 192.168.0.123

  • Allow smbd connecting from x.x.x.x:51273 to port 139 proto=6

    Anybody know why this is showing up every few minutes in my Console? Those IPs are a mini in the family room (107) and a Mac Pro in the basement (2). This output is showing up on my Mac Pro in the office. I do have file sharing turned on, but not SMB file sharing. It's pretty wasteful to fill up my console log with this crap.
    2010/08/03 13:20:07 Firewall[80] Allow smbd connecting from 192.168.1.107:51273 to port 139 proto=6
    2010/08/03 13:21:34 Firewall[80] Allow smbd connecting from 192.168.1.2:51183 to port 139 proto=6
    2010/08/03 13:21:36 Firewall[80] Allow smbd connecting from 192.168.1.107:51274 to port 139 proto=6
    2010/08/03 13:23:06 Firewall[80] Allow smbd connecting from 192.168.1.107:51275 to port 139 proto=6
    2010/08/03 13:24:33 Firewall[80] Allow smbd connecting from 192.168.1.2:51185 to port 139 proto=6
    2010/08/03 13:26:07 Firewall[80] Allow smbd connecting from 192.168.1.107:51276 to port 139 proto=6
    2010/08/03 13:27:34 Firewall[80] Allow smbd connecting from 192.168.1.2:51199 to port 139 proto=6
    Message was edited by: Steve Mills - It's eating the square brackets around the "80"s.

    I'd like to know this too. I have found similar entries in my firewall log. Probably something trivial and unimportant but I'd like to know for reassurance.

  • Ports 139 and 445 open

    Did a scan of my router and ports 139 and 445 are open. I obviously don't want them to be but how do I close them?

    I didn't think you were doing an internal scan. Port need to be opened on the inside of your network to allow the routers many services.
    For security you should run the scan jlbjlb recommended.
    Please remember to Kudo those that help you.
    Linksys
    Communities Technical Support

  • Odd port behavior

    My computer is constantly trying to send my full name to this address: 224.0.0.251 ( registered as IANA--the port folks.) It is normally sent as port 5353, or https.
    (I know the information going out is my name because I have it marked as protected information in my Netbarrier firewall.)
    Even more odd, the outgoing location is identified as "localhost" and not my usual airport 10.0.1.x.
    The interface is listed as either the regular en1, but also sometimes as lo0.
    also, intriguingly, once it was sent as IGMP, rather than UDP, and to port 22, rather than port 80.
    I'm confused. Can anyone tell me what gives?

    I'm an idiot. Duh! It's my home address.

  • Odd storage space behavior for flash drive in USB port of E4200

    Using Mac OS 10.6.8 on a MacPro 2x2.8 ghz quad core intel xeon with 20GB ram
    I have a Linksys E4200 with Linksys Smart WiFi
    I have an unknown brand USB Flash drive in the E4200 router. The USB Storage status tab reads I have used 68MB of 1.87GB of storage space. The Mac Finder window reads the drive as having 2.8MB available. I have refreshed, disconnected and reconnected many times.
    I tried to copy a 49.5GB TIF file into the drive through the Finder and I get this error:
    Then I tried to copy a 2.8MB PDF file and got the same error.
    Keep in mind I was just able to copy this over yesterday--and delete it. Now I cannot copy it over. This same incident of the router changing it's mind happened with multiple folders and various files. First it doesn't take it. Then it takes it. Then it doesn't take it.
    Here's a weird error I got when trying to copy a game emulator:
    When I refresh in Linksys Smart Wifi, I am still told there is plenty of space.
    Now I deleted everything in the drive and successfully copied over a bunch of tiny 233KB files. Smart Wifi shows over 1GB of space remaining.
    Then I tried to copy a 160MB folder of small data files. Got the same not enough space error. So I tried a 7.5MB file. Same space error.
    Does anyone have any clue why this is happening? I tried to searach the forum and did not find anything similar.

    If that's the storage device then that's ok. From what you have posted this is just a 2GB usb flash stick. So if you cannot copy more files to it, it could either be the file format  you are transferring is not supported or the disc space is not enough. Connect the flash drive directly to your computer and test it that way. If you still cannot copy any files then I suggest that you reformat the usb flash stick.

  • Nexus 5000 - Odd Ethernet interface behavior (link down inactive)

    Hi Guys,
    This would sound really trivial but it is very odd behavior.
    - We have a server connected to a 2, Nexus 5000s (for resiliancy)
    - When there is no config on the ethernet interfaces whatsoever, the ethernet interface is UP / UP, there is minimal amount of traffic on the link etc. E.g.
    Ethernet1/16 is up
      Hardware: 1000/10000 Ethernet, address: 000d.ece7.85d7 (bia 000d.ece7.85d7)
      Description: shipley-p1.its RK14/A13
      MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA
      Port mode is access
      full-duplex, 10 Gb/s, media type is 1/10g
      Beacon is turned off
      Input flow-control is off, output flow-control is off
      Rate mode is dedicated
      Switchport monitor is off
      Last link flapped 00:00:07
      Last clearing of "show interface" counters 05:42:32
      30 seconds input rate 0 bits/sec, 0 packets/sec
      30 seconds output rate 96 bits/sec, 0 packets/sec
      Load-Interval #2: 5 minute (300 seconds)
        input rate 0 bps, 0 pps; output rate 8 bps, 0 pps
      RX
        0 unicast packets  0 multicast packets  0 broadcast packets
        0 input packets  0 bytes
        0 jumbo packets  0 storm suppression packets
        0 runts  0 giants  0 CRC  0 no buffer
        0 input error  0 short frame  0 overrun   0 underrun  0 ignored
        0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop
        0 input with dribble  0 input discard
        0 Rx pause
      TX
        0 unicast packets  163 multicast packets  0 broadcast packets
        163 output packets  15883 bytes
        0 jumbo packets
        0 output errors  0 collision  0 deferred  0 late collision
        0 lost carrier  0 no carrier  0 babble
        0 Tx pause
      1 interface resets
    - As soon as I configure the link to be an access port, the link goes down, flagging "inactivity" E.g.
    sh int e1/16
    Ethernet1/16 is down (inactive)
      Hardware: 1000/10000 Ethernet, address: 000d.ece7.85d7 (bia 000d.ece7.85d7)
      Description: shipley-p1.its RK14/A13
      MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA
      Port mode is access
      auto-duplex, 10 Gb/s, media type is 1/10g
      Beacon is turned off
      Input flow-control is off, output flow-control is off
      Rate mode is dedicated
      Switchport monitor is off
      Last link flapped 05:38:03
      Last clearing of "show interface" counters 05:41:33
      30 seconds input rate 0 bits/sec, 0 packets/sec
      30 seconds output rate 0 bits/sec, 0 packets/sec
      Load-Interval #2: 5 minute (300 seconds)
        input rate 0 bps, 0 pps; output rate 0 bps, 0 pps
      RX
        0 unicast packets  0 multicast packets  0 broadcast packets
        0 input packets  0 bytes
        0 jumbo packets  0 storm suppression packets
        0 runts  0 giants  0 CRC  0 no buffer
        0 input error  0 short frame  0 overrun   0 underrun  0 ignored
        0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop
        0 input with dribble  0 input discard
        0 Rx pause
      TX
        0 unicast packets  146 multicast packets  0 broadcast packets
        146 output packets  13083 bytes
        0 jumbo packets
        0 output errors  0 collision  0 deferred  0 late collision
        0 lost carrier  0 no carrier  0 babble
        0 Tx pause
      0 interface resets
    - This behavior is seen on both 5Ks
    - I've tried using a different set of ports, changed SFPs, and fibre cabling to no avail
    - I can't seem to understand this behavior?!  In that, why would configuring the port cause the link to go down?
    - If anyone has experience this before, or could shed some light on this behavior, it would be appreciated.
    sh ver
    Cisco Nexus Operating System (NX-OS) Software
    TAC support: http://www.cisco.com/tac
    Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.
    Software
      BIOS:      version 1.2.0
      loader:    version N/A
      kickstart: version 4.2(1)N1(1)
      system:    version 4.2(1)N1(1)
      power-seq: version v1.2
      BIOS compile time:       06/19/08
      kickstart image file is: bootflash:/n5000-uk9-kickstart.4.2.1.N1.1.bin
      kickstart compile time:  4/29/2010 19:00:00 [04/30/2010 02:38:04]
      system image file is:    bootflash:/n5000-uk9.4.2.1.N1.1.bin
      system compile time:     4/29/2010 19:00:00 [04/30/2010 03:51:47]
    thanks
    Sheldon

    I had identical issue
    Two interfaces on two different FEXes were INACTIVE. I have two Nexus 5596 in vPC and A/A FEXes.
    I also use config-sync feature.
    Very same configuration was applied to other ports on other FEXes and they were working with no problems.
    interface Ethernet119/1/1
      inherit port-profile PP-Exchange2003
    I checked VLAN status associated with this profile and it was active (of course it was, other ports were ok).
    I solved it by removing port profile from this port and re-applied it... voila, port changed state to up!
    Very very strange.

  • Odd battery/charge behavior

    Something odd happened today with my MBP (2011)...  I'm working away with it while it's plugged into power and all of a sudden it starts charging... but I never unplugged it or lost power or anything (and it's on a mondo UPS anyway).
    It's been showing 98% instead of 100%, but showing "fully charged" with a green light and from reading the articles from Apple this is totally normal.  I did manage to get it to show 100% after a SMC reset, but after a subsequent reboot it went back to 98%.  Anyway, it actually looks like it's going to charge to 100% now (99% and still showing orange light).
    Has anyone seen this behavior?  Normal?  Something to consider going to Apple store about?
    Thanks.

    I understand the system will charge when it needs to, but in all my days with MacBook's and the like I've never seen one up and start charging AFTER being plugged in for several days and without any provocation (i.e. unplugging it for a few minutes).
    My battery info all looks really good and the condition says "normal" so as long as "normal" is the same as "good" then it's probably fine.  Still odd, but fine.

  • Odd Smart Mailbox Behavior

    I receive a lot of mail with attachments so I created a Smart Mailbox with the following conditions -- ALL must be met:
    1. Contains Attachments
    2. Date Received is not in the last 2 weeks
    My goal is to keep my mail intact for 2 weeks, and then delete the attachments so I can save disk space.
    The Smart Mailbox works but not as I expected. I would assume that every day there would be at least one message that meets the conditions since I receive at least one attachment per day. What actually occurs is that the Smart Mailbox only shows mail every two weeks but some of the messages are older than two weeks -- as old as four weeks. The behavior seems odd to me.
    Any suggestions?
      Mac OS X (10.4.3)  

    If it's "not in the last 2 weeks" then it'll show messages older than the last 2 weeks. Do you want to show messages that are 2 weeks old? If yes, then change "not in the last 2 weeks" to "is exactly 2 weeks".

Maybe you are looking for