Port 138: NetBIOS Datagram Service — The Voice of Network Neighborhood

Port 138 carries the NetBIOS Datagram Service over UDP. It is the connectionless voice of Windows networking, the broadcast channel through which computers announce their presence to the local network. Every time you opened Network Neighborhood in Windows 95 and watched other machines materialize in the list, port 138 was the messenger.

This port does not carry your files. It does not establish sessions. It simply lets machines say, "I exist. I am here. Come find me."

What Port 138 Does

The NetBIOS Datagram Service (NBDGM or NetBIOS-DGM) provides connectionless, unreliable messaging between computers on a local network.¹ Unlike TCP-based services that establish connections and guarantee delivery, port 138 operates on a fire-and-forget model. You send a datagram into the network, and you hope it arrives.

This design made it perfect for announcements. When a Windows machine starts up, it does not quietly join the network. It broadcasts its presence. It shouts its name into the void using port 138, and other machines listen.²

The datagram service supports three types of messages:

• Direct Unique: A message sent to a specific NetBIOS name
• Direct Group: A message multicast to all holders of a group name
• Broadcast: A message sent to every NetBIOS name on the network

This broadcast capability became the foundation of Windows network discovery.

The Computer Browser Service

Before DNS became ubiquitous on local networks, before mDNS and WS-Discovery, Windows machines needed a way to find each other. The answer was the Computer Browser Service, and port 138 was its nervous system.³

Here is how it worked:

When a Windows computer started, it immediately sent a host announcement frame over port 138. Then again at 4 minutes. Then at 8 minutes. Then every 12 minutes thereafter.⁴ These announcements contained the computer's name, its workgroup, and what services it offered.

But who was listening?

The network elected a Master Browser. Through a democratic process held every 11 to 15 minutes, computers running the browser service would vote, and one would win the role of maintaining the browse list.⁵ The criteria favored uptime, protocol version, and other technical factors. Your own computer might become the Master Browser, and you would never know it.

The Master Browser collected all those 12-minute announcements and built a list. When you opened Network Neighborhood, your computer asked the Master Browser for this list. The Master Browser answered over port 138.

If the Master Browser failed, a re-election was held. A new browser was elected from the Backup Browsers. To speed up the transition, the new Master Browser would send an AnnouncementRequest query, and all the computers would re-announce themselves with a random delay of up to 30 seconds.⁶

The machines were governing themselves.

The History: Sytek, IBM, and the Dawn of PC Networking

NetBIOS was born in 1983, created by a company called Sytek Inc. for IBM's PC Network.⁷ The original IBM PC Network was a 2 Mbit/s baseband LAN that supported up to 80 devices. NetBIOS was the API that let applications talk to each other over this hardware.

On the original PC Network, NetBIOS was just an interface. The actual communication used proprietary Sytek protocols. But then IBM moved to Token Ring in 1985 and created NetBEUI (NetBIOS Extended User Interface) to carry NetBIOS traffic over the new hardware.⁸

The problem was isolation. NetBIOS worked beautifully within a single network segment, but it could not cross routers. It could not traverse the Internet. As TCP/IP became the universal language of networking, someone had to figure out how to make NetBIOS speak it.

In March 1987, RFC 1001 and RFC 1002 were published, defining NetBIOS over TCP/IP (NBT).⁹ Karl Auerbach, an Internet protocol engineer who would later be elected to ICANN's board of directors, edited these specifications.¹⁰ The documents drew on implementation knowledge from CMC/Syros, Excelan, Sytek, and Ungermann-Bass.

RFC 1001 opens with a statement that explains everything: "NetBIOS has become the dominant mechanism for personal computer networking."¹¹ The standard was created not because NetBIOS was elegant, but because it had won. Millions of applications depended on it. The only path forward was adaptation.

The specification assigned three ports:

• Port 137 (UDP): Name Service, for registering and resolving NetBIOS names
• Port 138 (UDP): Datagram Service, for connectionless messaging
• Port 139 (TCP): Session Service, for connection-oriented file and printer sharing

Port 138 became the voice of the network.

Windows for Workgroups and the Network Neighborhood Era

Windows for Workgroups 3.11 shipped in 1993, and suddenly networking was built into the operating system.¹² You did not need Novell NetWare or Banyan VINES. You could connect a few PCs with cheap Ethernet cards, give them workgroup names, and they would find each other.

Port 138 made this magic possible.

You would double-click the Network Neighborhood icon, and after a moment, other computers would appear. Printers. Shared folders. The office down the hall. Your roommate's machine with a suspiciously large MP3 collection.

Behind the scenes, port 138 was carrying host announcements and browse list queries. The Master Browser was maintaining the catalog. Your computer was participating in elections without your knowledge.

This system had flaws. Because announcements only happened every 12 minutes, it could take up to 12 minutes for a new computer to appear in the browse list. And after a computer disconnected, its ghost remained in the list for three missed announcements, 36 minutes of haunting the Network Neighborhood.¹³

The browse list was, in the words of one Microsoft engineer, "an extremely unreliable snapshot based on unconfirmed single UDP broadcast announcements."

But it worked. It worked well enough for LAN parties where friends connected their machines to play Quake and StarCraft. It worked well enough for small offices sharing printers. It worked well enough that millions of people experienced networked computing for the first time through that little globe icon.

Security: A Protocol From a More Trusting Age

NetBIOS was designed in 1983 for networks of 80 computers in a single building. It assumed everyone on the network was trusted. This assumption did not age well.

Port 138 has no encryption. No authentication. No integrity verification.¹⁴ Datagrams travel in plaintext, readable by anyone who can see the network traffic.

The broadcast nature of the datagram service means attackers on the same network segment can easily intercept announcements and map the entire network topology. Computer names, workgroup names, available services: all exposed.¹⁵

The Master Browser implementation is particularly vulnerable. Windows "eagerly eats everything and hardly does any checks," according to security researchers. It does not verify whether announced names match source addresses, whether names match NetBIOS cache entries. Nothing gets verified.¹⁶

Major worms exploited NetBIOS vulnerabilities to spread:

• Conficker (2008) targeted NetBIOS weaknesses to create one of the largest botnets in history
• WannaCry (2017) exploited SMB vulnerabilities in the related port 445, but the attack surface was mapped through NetBIOS enumeration¹⁷

The security recommendation is simple: block ports 137-139 and 445 at all network perimeters. Do not expose NetBIOS to the Internet. Ever.¹⁸

The Slow Sunset

Since Windows 2000, Microsoft has been slowly deprecating NetBIOS. SMB can now run directly over TCP port 445 without the NetBIOS layer. DNS has replaced NetBIOS name resolution for most purposes.

Windows 10 version 1709 removed the Computer Browser Service by default.¹⁹ The browse list, the master browser elections, the 12-minute announcements, all gone from the default installation. WS-Discovery has replaced it for modern network discovery.

Port 138 still exists. The service still runs on many networks for backward compatibility. Legacy applications still depend on it. But the era of Network Neighborhood, of machines democratically electing their browser, of 36-minute ghosts in the browse list, that era is ending.

Related Ports

Port 138 is one member of a family:

Technical Summary