[jcifs] OT: Tracking down a rogue workgroup.

[Ray Van Dolson]

Hi all... this is off-topic, but I'm thinking there are some pretty
knowledgeable folks on this list and am hoping this topic is
interesting enough that you'll induldge me briefly. :)

We're trying to track down a machine responsible for an inappropriately
named workgroup.

We have enough subnets that are spread out far enough geographically
that at this point it's not practical to sniff on each subnet to watch
for when the workgroup shows up.

Right now we're sniffing on our Domain Controller and looking for
workgroup announcements coming from master browsers throughout our
network... I'm not sure if this is the best approach though.

One interesting packet we discovered was a reply to a NetServerEnum2
request.  This contained a list of workgroups and in the "Server
Comment" field there appeared to be the name of a server.  While it
appears this field isn't mandatory, we speculate the the machine name
listed here was probably the one responsible for the workgroup, or at
least a good starting point.

However, this machine name of course isn't registered in our DNS, so
we're still not really any closer to tracking down which subnet it's
on.

Anyone have any suggestions how they'd go about approaching this?

In our tests it seems that a workgroup name gets sent to the domain
controller either directly via unicast (presumably when a WINS server
is set up), or, and I need clarification on this, the host comes up,
announces itself via broadcast, and the master browser on that
particular subnet learns of the workgroup.  Periodically the master
browser sends the list of workgroups it knows about up the pipe
eventually reaching the domain controller.

I'd *love* to know what type of packet to look for on the domain
controller to find the list of workgroups containing the name I'm
looking for...

Thanks!
Ray