Finder via nmblookup - WTH? :p (Answered)

Discussion in 'Mac Pro' started by Tesselator, Aug 16, 2009.

  1. Tesselator macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #1
    Restarted my mac from running bootcamp and the attached image popped up. This is the Little Snitch UIAgent catching something. WTH is this tho?


    In plain simple english please! Just telling me that the nmblookup program resolves NetBIOS names into IP addresses is the obvious bit. What is it doing and why?

    If I who-is the IP I get this:

    http://who.is/whois-ip/ip-address/172.16.186.255/

    And I'm just ignorant enough to not be enlightened AT ALL by any of the information there.

    Any ideas?
     

    Attached Files:

  2. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #2
    Upon further investigation I found out that according to RFC 1918 the address in question is local kinda thing:


    RFC 1918 Address Allocation for Private Internets February 1996

    3. Private Address Space

    The Internet Assigned Numbers Authority (IANA) has reserved the
    following three blocks of the IP address space for private internets:

    10.0.0.0 - 10.255.255.255 (10/8 prefix)
    172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    192.168.0.0 - 192.168.255.255 (192.168/16 prefix)​
    https://www.arin.net/knowledge/rfc/rfc1918.txt



    Could this be the kids on their Nintendo DS's ??
     
  3. seisend macrumors 6502a

    seisend

    Joined:
    Feb 20, 2009
    Location:
    Switzerland, ZG
    #3
    No idea, but had that too with Little Snitch. ;-)
     
  4. NOD macrumors member

    Joined:
    Jul 20, 2008
    #4
    Does anyone actually get anything positive from Little Snitch?:confused:
     
  5. Cindori macrumors 68040

    Cindori

    Joined:
    Jan 17, 2008
    Location:
    Sweden
    #5

    block E.T in t0rrented software
     
  6. grue macrumors 65816

    Joined:
    Nov 14, 2003
    Location:
    Somewhere.
    #6


    Absolutely. I like to know what software is calling home, and more importantly I like knowing what software is calling places besides home
     
  7. bearcatrp macrumors 68000

    Joined:
    Sep 24, 2008
    Location:
    Boon Docks USA
    #7
    This is interesting, so did a google search. Here is and interesting read...
    http://seclists.org/incidents/2002/Sep/0058.html

    Black hole or not, my guess is something along the lines as big brother checking folks out, but that's my guess.
     
  8. tobyg macrumors 6502a

    Joined:
    Aug 31, 2004
    #8
    nmblookup is related to Samba and Windows File sharing on your local network. 172.16.186.x is probably bound either to your local network or Parallels/VMware virtual network adapters used for NAT. In terminal run ifconfig and check what adapters you have.

    It's sending to 172.16.186.255 which is the broadcast address.

    This is nothing to worry about. As you found out, 172.16.x.x/255.240.0.0 are reserved addresses and won't go out to the Internet.
     
  9. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #9
    Yeah, I've read a host of explanations from the government is spying on you to you should allow it for proper network functionality.

    Neither one tell me anything. They're both assuming and rather dumb. I want to know what EXACTLY triggered Finder to connect to that address and what the purpose SPECIFICALLY is. From there then I can make assumptions rational or irrational. ;)

    BTW, now it happens 100% of the time whenever finder starts or restarts - so it's not a fluke thing. :eek:
     
  10. Nugget macrumors 65816

    Nugget

    Joined:
    Nov 24, 2002
    Location:
    Houston Texas USA
    #10
    It's finder looking for neighboring machines on your local network, trying to populate the "SHARED" section of the finder sidebar. Totally innocuous.

    This whole thread makes me wonder how useful Little Snitch truly is if the user is not able to make sense of the information it provides.

    "A little learning is a dangerous thing; drink deep, or taste not the Pierian spring: there shallow draughts intoxicate the brain, and drinking largely sobers us again." -- Alexander Pope
     
  11. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #11
    Hmmm, yeah, I get this:

    vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 172.16.79.1 netmask 0xffffff00 broadcast 172.16.79.255
    ether 00:50:56:c0:00:08 ​
    vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 172.16.185.1 netmask 0xffffff00 broadcast 172.16.185.255
    ether 00:50:56:c0:00:01 ​


    So I still don't understand though. Parallels is establishing those IP addresses for what? And what has Finder got to do with it? Why would Finder want to send anything to those addresses?
     
  12. tobyg macrumors 6502a

    Joined:
    Aug 31, 2004
    #12
    http://www.islandjohn.com/islandjoh...es_Finder_Automatically_Launch_smbclient.html

    nmdlookup is attempting to find a master browser, and it does this by sending a broadcast to the locally attached networks.

    vmnet adapters are virtual adapters used to either NAT your VM's to your local network or give your VM's host-only access. In VMware vmnet8 is the NAT adapter, vmnet1 is the host-only network adapter.

    If I were you, I would go into little snitch and add these as local networks so little snitch doesn't alert you to anything their doing. Little Snitch is really only most effective to report traffic destine for somewhere not-local, such as on the internets somewhere.

    By the way, this question you have here isn't really a Mac Pro specific question and probably shouldn't be in this forum.
     
  13. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #13
    But it never did this before. And I haven't updated Parallels or anything. What? It just now started working? Sounds odd.


    I would agree with you but for one thing. Since when has ANY networking information or explanation been understandable and plain in any application? I've used 100's of them and none of them make any sense to me. I have to guess every time and it's never EVER at any time been clear what was going on.

    When Little Snitch pops up and says Adobe Updater wants to connect to www.adobe_update.com on port 666 that's guessable at least. It doesn't ever under any circumstance clarify the actual purpose. Maybe Adobe wants the entire listing of my HDD contents? Maybe they want a copy of a letter I sent to my Grandma? Who the hell knows? No one! When the information is even more generic like finder wants to connect to 172.16.186.255 that there's nothing to even guess about. This is NOT specific to Little Snitch! All logs, all apps, all snoopers, all networking utilities are just as lame - and some are even lamer!!!
     
  14. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #14
    What is a "master browser" and what is it's purpose?

    OK, so that explains what is at those addresses. Why would finder send something or poll them? Just to populate the "SHARED" section like Nugget is saying? And why didn't it ever do this before? Nothing's changed. <shrug>


    Yeah, I guessed as much after thinking about it. Sorry about that.
     
  15. Nugget macrumors 65816

    Nugget

    Joined:
    Nov 24, 2002
    Location:
    Houston Texas USA
    #15
    With your level of (mis)understanding perhaps you'd be better served if your first reaction wasn't panic and concern over every little byte of information that emits from your ethernet port. I guarantee that Adobe doesn't care at all about your letter to your grandmother and (hypothetically) if they did little snitch wouldn't be how you found out.

    If you do truly want to maintain this level of control over your networking activities then you're simply going to have to develop a better understanding of TCP/IP and internet protocols. Until then, I guess you'll just have to suffer from having a heart attack every time your computer wants to see if there's a network printer or shared storage on your LAN.

    Little Snitch is a useful tool for a narrow range of privacy tasks (hiding pirated software you want to run, for example) but as a general purpose security tool it's not really appropriate for exactly the challenges you point out.

    This is not "generic" information. It's just information you lack the background to understand.
     
  16. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #16
    OK, I found the answer to this question:

    Browser Services

    Browser service is a provider of a list of network resources which does not affect access. Browse List - A list of available resources on the network domain. The size of this list is limited to 64K limiting the number of domain computers to 2000 to 3000.

    • Master Browser - Maintains the main or master list of computers and shared resources. All workgroups or domains have one master browser. A new resource list is sent to the backup browsers every 15 minutes. A client will not be removed from the resource list for 3, 12 minute periods. Another domain master will wait 3 15 minute periods of no response from a domain master browser before removing the domain resources from its list. The client will first go to the master browser which will give the client a list of backup browsers.
    • Domain Master Browser - The master browser for a domain. The primary domain controller (PDC) in a domain network always wins elections to become the domain master browser.
    • Subnet Browser or Local Master Browser - Works on a subnet providing resource lists to the clients and keeping the Domain Master Browser updated with resource lists. This is normally a backup domain controller (BDC). This browser must have support for a routable protocol such as TCP/IP or IPX/SPX. An assumption here is that the domain master browser is on a different subnet.
    • Backup Browser - The domain master browser sends a copy of the browse list to the backup browser periodically in case the master fails. This browser is also responsible for passing the browse list to clients.
    • Potential Browser - A computer that may become a master or backup browser.
    • Non-Browser - A computer that will never become a browser.


    I see. So, I'm not allowed to do that learning here? And if I do then I'm panicking? And since you are not Adobe I'll take your guarantee a completely worthless. :) And if Adobe did want that it probably would indeed be little snitch that lead to the awareness of it. I do appreciate the help you offered but I don't dig being kicked at the same time. I already know I know nothing about networking (and need to learn) and said as much in the initial post.
     
  17. bearcatrp macrumors 68000

    Joined:
    Sep 24, 2008
    Location:
    Boon Docks USA
    #17
    He has every right to know why this happened. He's just asking for information on this so he understands. Instead of blowing him off, point him to information that helps explain this. Microsoft was caught years ago getting information from peoples computers, and am pretty sure other companies have so too. Not to mention big brother always peeking into our lives by one means or another. Its to the point of keeping your main computer off line so they don't get information on whats on there. Might as well use a honeypot to get your updates you need and watch this to see whats being check.
     
  18. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #18
    It's both! Of course I don't understand it. Not sure I want to fill my head with networking BS (or "background" as you put it) either. You're talking hundreds of thousands of single spaced small-type pages, perhaps millions.

    It's generic in that there is no purpose mentioned and no data displayed. There almost never is in any monitoring app. And when there is it may indeed very well be completely meaningless binary stings. Source address, destination address, and calling app is about as generic as you can get!
     
  19. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #19

    Yup! And MS was exposed for incorporating government backdoors into every server shipped since NT 3.x too and AFAIK still stand guilty of doing so. But I wasn't too worried about that here. I assume Apple isn't doing this. At least I've never heard issues raised. I was just trying to figure out what and why. As an end user of Apple computers I would suspect russian pornographers before the US Government of trying to gain illegal access. :p


    Anyway, thanks to Nugget and Toby G., I think I have a much better idea of what is going on. Thanks guys!
     
  20. bearcatrp macrumors 68000

    Joined:
    Sep 24, 2008
    Location:
    Boon Docks USA
    #20
    Actually, apple did get popped with itunes collecting data a few years ago. There was a way to turn it off too. Yeah, who know's what gets transmitted theses days. I did find a interesting article about vista and phoning home...
    http://news.softpedia.com/news/Forg...s-Harvest-User-Data-for-Microsoft-58752.shtml . I really don't care if they scan my stuff (if its being done). They get a record from the isp's anyways to see where you've been surfin. More power to 'em.
     
  21. TheStrudel macrumors 65816

    TheStrudel

    Joined:
    Jan 5, 2008
    #21
    It occurs to me that there's a potential opportunity for Little Snitch and other such software to add a killer feature - explanations of these sort of widely documented, somewhat known things.

    I'm a reasonably adept computer user (granted, not a programmer), but everything network related is like a black box to me. I know I'm not the only one, either - especially in video/photo/design related industries.
     
  22. Tesselator thread starter macrumors 601

    Tesselator

    Joined:
    Jan 9, 2008
    Location:
    Japan
    #22
    Of course not. Even people who think they know only really know a small section. The information is VAST and the acronyms are multitudinous!

    In a world where ZIP means "AppleTalk Zone Information Protocol" and people are expected to understand diagrams like:

    [​IMG]
    there's bound to be a clueless majority and a few questions. :D


    The problem with getting monitors to be more intelligent and informative is a combination of a chicken and egg problem and data analysis. To know what an app is sending or receiving you have to analyze the data being sent. But to do that you have to have the data. But to have the data it has to have already been sent. You could fool it into thinking it was connected to something maybe if you knew the exchange protocols and keys and then analyze that I suppose. Sounds incredibly difficult and troublesome. I guess you could snoop it and inform the user what was done after the fact easily enough?


    .
     
  23. pup500 macrumors newbie

    pup500

    Joined:
    May 8, 2016
    Location:
    USA, CA, San Francisco
    #23
    Tesselator's frustration is felt by a large number of people. I'm one of them. Also, it is important to know what services are requesting access to network connections and why. The risks one can afford to take with their computer is conditional, based on where/how it's used.
     

Share This Page