[Samba] Tracking down rogue workgroup

Ray Van Dolson rvandolson at esri.com
Thu Jan 21 10:40:41 MST 2010 

On Thu, Jan 21, 2010 at 09:18:13AM -0800, Moray Henderson wrote:
> Ray Van Dolson wrote:
> >> >This seems to be a decent way to tell right when the workgroup shows
> >> >up, but I don't think it helps us track down which IP address is
> >> >responsible for generating it, or helping us narrow down the subnet
> its
> >> >on even... (if I'm wrong, please correct me on that).
> >> >
> >> >Right now we're sifting through traffic to the domain controller
> >> >looking for announcement packets including the workgroup name, and,
> >> >presumably an IP of a Local Master Browser or subnet...
> >> >
> >> >Ray
> >>
> >> It should do.  The nmblookup command should return an IP address; if
> you
> >> add a -S option as well it should give you the node status:
> >>
> >> $ nmblookup -M MSHOME -S
> >> querying MSHOME on 66.255.255.255
> >> 66.102.9.104 MSHOME<1d>
> >> Looking up status of 66.102.9.104
> >>         MEDIACENTER     <00> -         B <ACTIVE>
> >>         MEDIACENTER     <03> -         B <ACTIVE>
> >>         MEDIACENTER     <20> -         B <ACTIVE>
> >>         ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
> >>         MSHOME          <1d> -         B <ACTIVE>
> >>         MSHOME          <1e> - <GROUP> B <ACTIVE>
> >>         MSHOME          <00> - <GROUP> B <ACTIVE>
> >>
> >>         MAC Address = 00-00-00-00-00-00
> >
> >Well, will give it a try.  A tcpdump seems to indicate that when I run
> >the above command, my workstation is merely sending out a Name query
> >broadcast on my local subnet for the workgroup in question.
> >
> >Does this query (it does appear to have the recursion bit set)
> >propagate to other subnets via the local master browsers or DC's
> >(assuming my packet reaches them)?
> >
> >Just curious...
> >
> >Thanks!
> >Ray
> 
> I'm not sure exactly how it propagates, but if you run it on a subnet
> that can see the rogue workgroup you ought to get an answer.

Unfortunately, Linux clients can't see it (at least not with nbmlookup
-M -- -), but Windows clients can.  The Windows clients emit a unicast
LANMAN NetServerEnum2 request to their browse master, and the browse
master returns a response with a list of workgroups many of which are
not on the local subnet...

It's not clear to me if the browse master is getting the out of subnet
workgroups in its list from the domain browser (or domain controller,
whatever), or elsewhere... 

Right now we're going to set up a port span on our domain controller
and look for workgroup announcement messages or WINS updates containing
the workgroup name from local master browsers....

Good times :)

More information about the samba mailing list