[jcifs] OT: Tracking down a rogue workgroup.

Christopher R. Hertel crh at ubiqx.mn.org
Thu Jan 21 15:22:56 MST 2010

Hmmm...  Browstat.exe is available on the XP virtual machine I've got
running.  I don't know if it is there by default or if I installed
something, but hey...

Ray Van Dolson wrote:
> Hi all... this is off-topic, but I'm thinking there are some pretty
> knowledgeable folks on this list and am hoping this topic is
> interesting enough that you'll induldge me briefly. :)
> We're trying to track down a machine responsible for an inappropriately
> named workgroup.
> We have enough subnets that are spread out far enough geographically
> that at this point it's not practical to sniff on each subnet to watch
> for when the workgroup shows up.
> Right now we're sniffing on our Domain Controller and looking for
> workgroup announcements coming from master browsers throughout our
> network... I'm not sure if this is the best approach though.
> One interesting packet we discovered was a reply to a NetServerEnum2
> request.  This contained a list of workgroups and in the "Server
> Comment" field there appeared to be the name of a server.  While it
> appears this field isn't mandatory, we speculate the the machine name
> listed here was probably the one responsible for the workgroup, or at
> least a good starting point.
> However, this machine name of course isn't registered in our DNS, so
> we're still not really any closer to tracking down which subnet it's
> on.
> Anyone have any suggestions how they'd go about approaching this?
> In our tests it seems that a workgroup name gets sent to the domain
> controller either directly via unicast (presumably when a WINS server
> is set up), or, and I need clarification on this, the host comes up,
> announces itself via broadcast, and the master browser on that
> particular subnet learns of the workgroup.  Periodically the master
> browser sends the list of workgroups it knows about up the pipe
> eventually reaching the domain controller.
> I'd *love* to know what type of packet to look for on the domain
> controller to find the list of workgroups containing the name I'm
> looking for...
> Thanks!
> Ray

More information about the jCIFS mailing list