[jcifs] OT: Tracking down a rogue workgroup.
Christopher R. Hertel
crh at ubiqx.mn.org
Thu Jan 21 15:18:52 MST 2010
Oh, man... it's been so long since I looked at all of this.
Start here: http://ubiqx.org/cifs/Browsing.html
The packet information is in there somewhere (I wrote it long enough ago
that I don't recall where).
jCIFS may be a better answer, but I have written up a tool that does a nice
job of generating name service queries. It takes some putting together, but
you can find it here: http://ubiqx.org/libcifs/
...what you want (if you want to go this route at all) is the nbtquery tool
under the tools directory. You'll need most of the tree to compile the
tool, but if you're familiar with C it shouldn't be a problem.
Anyway, you should be able to perform directed name queries using that tool
(or the nmblookup tool that comes with Samba, but mine's a little more
utilitarian), which would help you find master browsers and, eventually, the
Another thing out there... If you've got Windows systems, particularly
older ones, there are two W2K Resource Kit utilities that may help. You're
looking for BrowStat and BrowMon.
Hope that's useful.
Ray Van Dolson wrote:
> Hi all... this is off-topic, but I'm thinking there are some pretty
> knowledgeable folks on this list and am hoping this topic is
> interesting enough that you'll induldge me briefly. :)
> We're trying to track down a machine responsible for an inappropriately
> named workgroup.
> We have enough subnets that are spread out far enough geographically
> that at this point it's not practical to sniff on each subnet to watch
> for when the workgroup shows up.
> Right now we're sniffing on our Domain Controller and looking for
> workgroup announcements coming from master browsers throughout our
> network... I'm not sure if this is the best approach though.
> One interesting packet we discovered was a reply to a NetServerEnum2
> request. This contained a list of workgroups and in the "Server
> Comment" field there appeared to be the name of a server. While it
> appears this field isn't mandatory, we speculate the the machine name
> listed here was probably the one responsible for the workgroup, or at
> least a good starting point.
> However, this machine name of course isn't registered in our DNS, so
> we're still not really any closer to tracking down which subnet it's
> Anyone have any suggestions how they'd go about approaching this?
> In our tests it seems that a workgroup name gets sent to the domain
> controller either directly via unicast (presumably when a WINS server
> is set up), or, and I need clarification on this, the host comes up,
> announces itself via broadcast, and the master browser on that
> particular subnet learns of the workgroup. Periodically the master
> browser sends the list of workgroups it knows about up the pipe
> eventually reaching the domain controller.
> I'd *love* to know what type of packet to look for on the domain
> controller to find the list of workgroups containing the name I'm
> looking for...
More information about the jCIFS