NETGEAR RT328 manual Protocol 17, or 11h =UDP, 05 00 1F 11 CC 9D 8D FB 17, 00 89 00

Filter.fm Page 10 Tuesday, October 10, 2000 3:25 PM

Reference Guide for the Model RT328 and Model RH348 ISDN Routers

You can wait until an erroneous call is placed, then examine this packet header to determine the source and cause. The IP packet header contains information such as the next-level protocol type (for example, ICMP, TCP, UDP), source and destination addresses, and source and destination port numbers. Analyzing this data reveals the cause of the call, which provides the user with an approach to eliminating the calls. For example, the first line of the packet shows the following (hex values converted to decimal):

Bold characters denote source IP (141.251.23.18=local PC).

Bold characters denote destination IP (207.69.188.185=DNS server).

Bold characters denote source port number (137 or 89h=NetBIOS name service).

Bold characters denote destination port number (53, or 35h=DNS).

This packet represents a NetBIOS name service request from a local PC to the DNS server of the ISP. An initial strategy for blocking this type of call would be to set up a call filter to prevent calls from being originated by UDP packets with a source port of 137 (NetBIOS name service). Further investigation would reveal that other ports are associated with NetBIOS services, and these ports should be blocked, too.

A comprehensive list of protocol and port numbers for common IP traffic can be found in IETF RFC1700, “Assigned Numbers.” Many common port numbers are also listed on any Windows PC

in a file called \windows\services. In the case of filtering NetBIOS traffic, the relevant ports are:

•137 (TCP and UDP) NetBIOS Name Service

•138 (TCP and UDP) NetBIOS Datagram Service

•139 (TCP and UDP) NetBIOS Session Service