Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Finder via nmblookup - WTH? :p (Answered)

Tesselator

Tesselator

macrumors 601
Original poster
Jan 9, 2008
4,601
6
Japan
Restarted my mac from running bootcamp and the attached image popped up. This is the Little Snitch UIAgent catching something. WTH is this tho?


In plain simple english please! Just telling me that the nmblookup program resolves NetBIOS names into IP addresses is the obvious bit. What is it doing and why?

If I who-is the IP I get this:

http://who.is/whois-ip/ip-address/172.16.186.255/

And I'm just ignorant enough to not be enlightened AT ALL by any of the information there.

Any ideas?
 

Attachments

  • Little Snitch UIAgentSnapz_001.jpg
    Little Snitch UIAgentSnapz_001.jpg
    62.1 KB · Views: 405
  • Like
Reactions: pup500
Upon further investigation I found out that according to RFC 1918 the address in question is local kinda thing:


RFC 1918 Address Allocation for Private Internets February 1996

3. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)​
https://www.arin.net/knowledge/rfc/rfc1918.txt



Could this be the kids on their Nintendo DS's ??
 
nmblookup is related to Samba and Windows File sharing on your local network. 172.16.186.x is probably bound either to your local network or Parallels/VMware virtual network adapters used for NAT. In terminal run ifconfig and check what adapters you have.

It's sending to 172.16.186.255 which is the broadcast address.

This is nothing to worry about. As you found out, 172.16.x.x/255.240.0.0 are reserved addresses and won't go out to the Internet.
 
  • Like
Reactions: b0fh666
Yeah, I've read a host of explanations from the government is spying on you to you should allow it for proper network functionality.

Neither one tell me anything. They're both assuming and rather dumb. I want to know what EXACTLY triggered Finder to connect to that address and what the purpose SPECIFICALLY is. From there then I can make assumptions rational or irrational. ;)

BTW, now it happens 100% of the time whenever finder starts or restarts - so it's not a fluke thing. :eek:
 
It's finder looking for neighboring machines on your local network, trying to populate the "SHARED" section of the finder sidebar. Totally innocuous.

This whole thread makes me wonder how useful Little Snitch truly is if the user is not able to make sense of the information it provides.

"A little learning is a dangerous thing; drink deep, or taste not the Pierian spring: there shallow draughts intoxicate the brain, and drinking largely sobers us again." -- Alexander Pope
 
tobyg said:
nmblookup is related to Samba and Windows File sharing on your local network. 172.16.186.x is probably bound either to your local network or Parallels/VMware virtual network adapters used for NAT. In terminal run ifconfig and check what adapters you have.

It's sending to 172.16.186.255 which is the broadcast address.

This is nothing to worry about. As you found out, 172.16.x.x/255.240.0.0 are reserved addresses and won't go out to the Internet.
Click to expand...

Hmmm, yeah, I get this:

vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.79.1 netmask 0xffffff00 broadcast 172.16.79.255
ether 00:50:56:c0:00:08​
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.185.1 netmask 0xffffff00 broadcast 172.16.185.255
ether 00:50:56:c0:00:01​

So I still don't understand though. Parallels is establishing those IP addresses for what? And what has Finder got to do with it? Why would Finder want to send anything to those addresses?
 
Tesselator said:
Hmmm, yeah, I get this:

vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.79.1 netmask 0xffffff00 broadcast 172.16.79.255
ether 00:50:56:c0:00:08​
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.185.1 netmask 0xffffff00 broadcast 172.16.185.255
ether 00:50:56:c0:00:01​

So I still don't understand though. Parallels is establishing those IP addresses for what? And what has Finder got to do with it? Why would Finder want to send anything to those addresses?
Click to expand...

http://www.islandjohn.com/islandjoh...es_Finder_Automatically_Launch_smbclient.html

nmdlookup is attempting to find a master browser, and it does this by sending a broadcast to the locally attached networks.

vmnet adapters are virtual adapters used to either NAT your VM's to your local network or give your VM's host-only access. In VMware vmnet8 is the NAT adapter, vmnet1 is the host-only network adapter.

If I were you, I would go into little snitch and add these as local networks so little snitch doesn't alert you to anything their doing. Little Snitch is really only most effective to report traffic destine for somewhere not-local, such as on the internets somewhere.

By the way, this question you have here isn't really a Mac Pro specific question and probably shouldn't be in this forum.
 
Nugget said:
It's finder looking for neighboring machines on your local network, trying to populate the "SHARED" section of the finder sidebar. Totally innocuous.
Click to expand...

But it never did this before. And I haven't updated Parallels or anything. What? It just now started working? Sounds odd.


This whole thread makes me wonder how useful Little Snitch truly is if the user is not able to make sense of the information it provides.
Click to expand...

I would agree with you but for one thing. Since when has ANY networking information or explanation been understandable and plain in any application? I've used 100's of them and none of them make any sense to me. I have to guess every time and it's never EVER at any time been clear what was going on.

When Little Snitch pops up and says Adobe Updater wants to connect to www.adobe_update.com on port 666 that's guessable at least. It doesn't ever under any circumstance clarify the actual purpose. Maybe Adobe wants the entire listing of my HDD contents? Maybe they want a copy of a letter I sent to my Grandma? Who the hell knows? No one! When the information is even more generic like finder wants to connect to 172.16.186.255 that there's nothing to even guess about. This is NOT specific to Little Snitch! All logs, all apps, all snoopers, all networking utilities are just as lame - and some are even lamer!!!
 
tobyg said:
http://www.islandjohn.com/islandjoh...es_Finder_Automatically_Launch_smbclient.html

nmdlookup is attempting to find a master browser, and it does this by sending a broadcast to the locally attached networks.
Click to expand...

What is a "master browser" and what is it's purpose?

vmnet adapters are virtual adapters used to either NAT your VM's to your local network or give your VM's host-only access. In VMware vmnet8 is the NAT adapter, vmnet1 is the host-only network adapter.

If I were you, I would go into little snitch and add these as local networks so little snitch doesn't alert you to anything their doing. Little Snitch is really only most effective to report traffic destine for somewhere not-local, such as on the internets somewhere.
Click to expand...

OK, so that explains what is at those addresses. Why would finder send something or poll them? Just to populate the "SHARED" section like Nugget is saying? And why didn't it ever do this before? Nothing's changed. <shrug>


By the way, this question you have here isn't really a Mac Pro specific question and probably shouldn't be in this forum.
Click to expand...

Yeah, I guessed as much after thinking about it. Sorry about that.
 
Tesselator said:
I would agree with you but for one thing. Since when has ANY networking information or explanation been understandable and plain in any application? I've used 100's of them and none of them make any sense to me.
Click to expand...

With your level of (mis)understanding perhaps you'd be better served if your first reaction wasn't panic and concern over every little byte of information that emits from your ethernet port. I guarantee that Adobe doesn't care at all about your letter to your grandmother and (hypothetically) if they did little snitch wouldn't be how you found out.

If you do truly want to maintain this level of control over your networking activities then you're simply going to have to develop a better understanding of TCP/IP and internet protocols. Until then, I guess you'll just have to suffer from having a heart attack every time your computer wants to see if there's a network printer or shared storage on your LAN.

Little Snitch is a useful tool for a narrow range of privacy tasks (hiding pirated software you want to run, for example) but as a general purpose security tool it's not really appropriate for exactly the challenges you point out.

Tesselator said:
When the information is even more generic like finder wants to connect to 172.16.186.255 that there's nothing to even guess about.
Click to expand...
This is not "generic" information. It's just information you lack the background to understand.
 
  • Like
Reactions: mijail
Tesselator said:
What is a "master browser" and what is it's purpose?
Click to expand...

OK, I found the answer to this question:

Browser Services

Browser service is a provider of a list of network resources which does not affect access. Browse List - A list of available resources on the network domain. The size of this list is limited to 64K limiting the number of domain computers to 2000 to 3000.

  • Master Browser - Maintains the main or master list of computers and shared resources. All workgroups or domains have one master browser. A new resource list is sent to the backup browsers every 15 minutes. A client will not be removed from the resource list for 3, 12 minute periods. Another domain master will wait 3 15 minute periods of no response from a domain master browser before removing the domain resources from its list. The client will first go to the master browser which will give the client a list of backup browsers.
  • Domain Master Browser - The master browser for a domain. The primary domain controller (PDC) in a domain network always wins elections to become the domain master browser.
  • Subnet Browser or Local Master Browser - Works on a subnet providing resource lists to the clients and keeping the Domain Master Browser updated with resource lists. This is normally a backup domain controller (BDC). This browser must have support for a routable protocol such as TCP/IP or IPX/SPX. An assumption here is that the domain master browser is on a different subnet.
  • Backup Browser - The domain master browser sends a copy of the browse list to the backup browser periodically in case the master fails. This browser is also responsible for passing the browse list to clients.
  • Potential Browser - A computer that may become a master or backup browser.
  • Non-Browser - A computer that will never become a browser.


Nugget said:
With your level of (mis)understanding perhaps you'd be better served if your first reaction wasn't panic and concern over every little byte of information that emits from your ethernet port. I guarantee that Adobe doesn't care at all about your letter to your grandmother and (hypothetically) if they did little snitch wouldn't be how you found out.

If you do truly want to maintain this level of control over your networking activities then you're simply going to have to develop a better understanding of TCP/IP and internet protocols. Until then, I guess you'll just have to suffer from having a heart attack every time your computer wants to see if there's a network printer or shared storage on your LAN.

Little Snitch is a useful tool for a narrow range of privacy tasks (hiding pirated software you want to run, for example) but as a general purpose security tool it's not really appropriate for exactly the challenges you point out.
Click to expand...

I see. So, I'm not allowed to do that learning here? And if I do then I'm panicking? And since you are not Adobe I'll take your guarantee a completely worthless. :) And if Adobe did want that it probably would indeed be little snitch that lead to the awareness of it. I do appreciate the help you offered but I don't dig being kicked at the same time. I already know I know nothing about networking (and need to learn) and said as much in the initial post.
 
He has every right to know why this happened. He's just asking for information on this so he understands. Instead of blowing him off, point him to information that helps explain this. Microsoft was caught years ago getting information from peoples computers, and am pretty sure other companies have so too. Not to mention big brother always peeking into our lives by one means or another. Its to the point of keeping your main computer off line so they don't get information on whats on there. Might as well use a honeypot to get your updates you need and watch this to see whats being check.
 
Nugget said:
This is not "generic" information. It's just information you lack the background to understand.
Click to expand...

It's both! Of course I don't understand it. Not sure I want to fill my head with networking BS (or "background" as you put it) either. You're talking hundreds of thousands of single spaced small-type pages, perhaps millions.

It's generic in that there is no purpose mentioned and no data displayed. There almost never is in any monitoring app. And when there is it may indeed very well be completely meaningless binary stings. Source address, destination address, and calling app is about as generic as you can get!
 
bearcatrp said:
He has every right to know why this happened. He's just asking for information on this so he understands. Instead of blowing him off, point him to information that helps explain this. Microsoft was caught years ago getting information from peoples computers, and am pretty sure other companies have so too. Not to mention big brother always peeking into our lives by one means or another. Its to the point of keeping your main computer off line so they don't get information on whats on there. Might as well use a honeypot to get your updates you need and watch this to see whats being check.
Click to expand...


Yup! And MS was exposed for incorporating government backdoors into every server shipped since NT 3.x too and AFAIK still stand guilty of doing so. But I wasn't too worried about that here. I assume Apple isn't doing this. At least I've never heard issues raised. I was just trying to figure out what and why. As an end user of Apple computers I would suspect russian pornographers before the US Government of trying to gain illegal access. :p


Anyway, thanks to Nugget and Toby G., I think I have a much better idea of what is going on. Thanks guys!
 
Actually, apple did get popped with itunes collecting data a few years ago. There was a way to turn it off too. Yeah, who know's what gets transmitted theses days. I did find a interesting article about vista and phoning home...
http://news.softpedia.com/news/Forg...s-Harvest-User-Data-for-Microsoft-58752.shtml . I really don't care if they scan my stuff (if its being done). They get a record from the isp's anyways to see where you've been surfin. More power to 'em.
 
It occurs to me that there's a potential opportunity for Little Snitch and other such software to add a killer feature - explanations of these sort of widely documented, somewhat known things.

I'm a reasonably adept computer user (granted, not a programmer), but everything network related is like a black box to me. I know I'm not the only one, either - especially in video/photo/design related industries.
 
Of course not. Even people who think they know only really know a small section. The information is VAST and the acronyms are multitudinous!

In a world where ZIP means "AppleTalk Zone Information Protocol" and people are expected to understand diagrams like:

pppsuite.gif
there's bound to be a clueless majority and a few questions. :D


The problem with getting monitors to be more intelligent and informative is a combination of a chicken and egg problem and data analysis. To know what an app is sending or receiving you have to analyze the data being sent. But to do that you have to have the data. But to have the data it has to have already been sent. You could fool it into thinking it was connected to something maybe if you knew the exchange protocols and keys and then analyze that I suppose. Sounds incredibly difficult and troublesome. I guess you could snoop it and inform the user what was done after the fact easily enough?


.
 
Tesselator's frustration is felt by a large number of people. I'm one of them. Also, it is important to know what services are requesting access to network connections and why. The risks one can afford to take with their computer is conditional, based on where/how it's used.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back