LWF talking on UDP 137??

New Member

After installing the lightweight forwarder on a DMZ machine, I'm seeing UDP 137 traffic to my splunk server (which is being blocked by my firewall). Is this expected behaviour?

Tags (2)
0 Karma


Did you ever find out the resolution for this ?
I am seeing the same after installing the Forwarder on my servers, they are all dropping on my ASAs

0 Karma

Splunk Employee
Splunk Employee

This isn't anything Splunk is doing. If you take a look in /etc/services, you'll see that 137 is a NETBIOS (SAMBA, SMB) port. I'm not sure of what the purpose of this port is, as there are a number of SMB ports (137-139), but I would assume it's just some sort of broadcast to find out whether or not this box is NETBIOS accessible.

Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...