[Samba] Tracking down rogue workgroup
Moray Henderson
Moray.Henderson at ict-software.org
Thu Jan 21 10:18:13 MST 2010
Ray Van Dolson wrote:
>> >This seems to be a decent way to tell right when the workgroup shows
>> >up, but I don't think it helps us track down which IP address is
>> >responsible for generating it, or helping us narrow down the subnet
its
>> >on even... (if I'm wrong, please correct me on that).
>> >
>> >Right now we're sifting through traffic to the domain controller
>> >looking for announcement packets including the workgroup name, and,
>> >presumably an IP of a Local Master Browser or subnet...
>> >
>> >Ray
>>
>> It should do. The nmblookup command should return an IP address; if
you
>> add a -S option as well it should give you the node status:
>>
>> $ nmblookup -M MSHOME -S
>> querying MSHOME on 66.255.255.255
>> 66.102.9.104 MSHOME<1d>
>> Looking up status of 66.102.9.104
>> MEDIACENTER <00> - B <ACTIVE>
>> MEDIACENTER <03> - B <ACTIVE>
>> MEDIACENTER <20> - B <ACTIVE>
>> ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
>> MSHOME <1d> - B <ACTIVE>
>> MSHOME <1e> - <GROUP> B <ACTIVE>
>> MSHOME <00> - <GROUP> B <ACTIVE>
>>
>> MAC Address = 00-00-00-00-00-00
>
>Well, will give it a try. A tcpdump seems to indicate that when I run
>the above command, my workstation is merely sending out a Name query
>broadcast on my local subnet for the workgroup in question.
>
>Does this query (it does appear to have the recursion bit set)
>propagate to other subnets via the local master browsers or DC's
>(assuming my packet reaches them)?
>
>Just curious...
>
>Thanks!
>Ray
I'm not sure exactly how it propagates, but if you run it on a subnet
that can see the rogue workgroup you ought to get an answer.
Moray.
"To err is human. To purr, feline"
More information about the samba
mailing list