[Samba] Tracking down rogue workgroup

Moray Henderson Moray.Henderson at ict-software.org
Thu Jan 21 09:15:01 MST 2010 

Ray Van Dolson wrote:
>On Thu, Jan 21, 2010 at 01:37:25AM -0800, Moray Henderson wrote:
>> Ray Van Dolson wrote:
>> >Hi folks.  Periodically a workgroup shows up on our network with an
>> >inappropriate name.  We're trying to find the best way to track this
>> >down as it's quite intermittent.
>> >
>> >We can obviously look for announcement messages (in broadcast
packets
>> >on ports 138/139), but this must be done on each subnet and we have
>> >enough subnets that this would be rather tedious and at best, a last
>> >resort.
>> >
>> >The workgroup is available to machines in every subnet, so
apparently
>> >its presence is getting relayed back to the domain controllers...
>> >
>> >For protocol gurus: is there a particular packet we can look for on
the
>> >domain controllers that could help us narrow down our search to the
>> >right subnet?  A message from the local master browser sending a
list
>> >of workgroups perhaps?
>> >
>> >Or a message updating WINS entries?
>> >
>> >Any suggestions would be appreciated!
>> >
>> >Thanks,
>> >Ray
>>
>> Have cron execute a short script every few minutes looking for the
>> workgroup, and emailing you what it finds:
>>
>> nmblookup -M MSHOME > /tmp/workgroup.txt
>> if ! grep -q failed /tmp/workgroup.txt; then
>>     mail -s "Workgroup found" root < /tmp/workgroup.txt
>> fi
>>
>> Vista machines tend to announce themselves as workgroups, so if you
have
>> anyone bringing a laptop into your network, or connecting through a
VPN
>> link, you can see this sort of thing.
>>
>
>This seems to be a decent way to tell right when the workgroup shows
>up, but I don't think it helps us track down which IP address is
>responsible for generating it, or helping us narrow down the subnet its
>on even... (if I'm wrong, please correct me on that).
>
>Right now we're sifting through traffic to the domain controller
>looking for announcement packets including the workgroup name, and,
>presumably an IP of a Local Master Browser or subnet...
>
>Ray

It should do.  The nmblookup command should return an IP address; if you
add a -S option as well it should give you the node status:

$ nmblookup -M MSHOME -S
querying MSHOME on 66.255.255.255
66.102.9.104 MSHOME<1d>
Looking up status of 66.102.9.104
        MEDIACENTER     <00> -         B <ACTIVE>
        MEDIACENTER     <03> -         B <ACTIVE>
        MEDIACENTER     <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        MSHOME          <1d> -         B <ACTIVE>
        MSHOME          <1e> - <GROUP> B <ACTIVE>
        MSHOME          <00> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00



Moray.
"To err is human.  To purr, feline"

All IP addresses in this email are fictional.  Any resemblance to actual
IP addresses, online or offline, is entirely coincidental.  No binary
digits were harmed during the production of this email.

More information about the samba mailing list