CIFS traffic or a monster on the link?

binarysoul

In recent weeks I've seen a considerable amount of CIFS traffic in some of our sites, mostly on port 445. No thanks to Microsoft, but it seems to me that a pile of different services and applications are integerted under port 445. Now I understand port 445 can be a vulnerability, but security is not a a concern [at least not my responsiblity]. It's been called a very 'chatty' protocol. Some ISPs do block this port on behalf of their users.

So when I see 4 GB of CIFS traffic through port 445, how do I know what it was used for? Is it file sharing, print sharing, application sharing or something else? It appears to me that some local system admins have deployed all kinds of servers without realizing the flow of data on the link or without consulting with the network group. How do I spell collaboration?

Ahriakin

That's why it's important to understand enough about the network as a whole to be able to place traffic in context, port's alone aren't enough. I'd look at the source and destination IPs and see if that traffic was appropriate for their functions or not. Also you mentioned ISPs blocking that port, your own security team should be blocking it on every egress point too.

rossonieri#1

binarysoul wrote:

In recent weeks I've seen a considerable amount of CIFS traffic in some of our sites, mostly on port 445.

almost the same problem - except not on 445 but 5050 (you know)
using both IE and Firefox : is that a bug - or did i missing something?

So when I see 4 GB of CIFS traffic through port 445, how do I know what it was used for? Is it file sharing, print sharing, application sharing or something else?

i've tried to capture the traffic myself using tcpdump - but the best output you can get is SA/DA and SP/DP --> so you will have to make sure that it is only local intranet, and your traffic not flowing to outer world.

HTH.