[jcifs] OT: Tracking down a rogue workgroup.

Ray Van Dolson rvandolson at esri.com
Thu Jan 21 18:12:54 MST 2010

Thanks for the reply Christopher.

On Thu, Jan 21, 2010 at 02:18:52PM -0800, Christopher R. Hertel wrote:
> Oh, man... it's been so long since I looked at all of this.
> Start here:  http://ubiqx.org/cifs/Browsing.html
> The packet information is in there somewhere (I wrote it long enough
> ago that I don't recall where).
> jCIFS may be a better answer, but I have written up a tool that does
> a nice job of generating name service queries.  It takes some putting
> together, but you can find it here:  http://ubiqx.org/libcifs/
> ...what you want (if you want to go this route at all) is the
> nbtquery tool under the tools directory.  You'll need most of the
> tree to compile the tool, but if you're familiar with C it shouldn't
> be a problem.
> Anyway, you should be able to perform directed name queries using
> that tool (or the nmblookup tool that comes with Samba, but mine's a
> little more utilitarian), which would help you find master browsers
> and, eventually, the offending node.

Sounds promising.  Would the master browsers contain a record of the
host within their subnet if the host was offline?  I assume this
expires after a while.

One of our challenges is the host appears and disappears.  I'm thinking
it'd be nice to write a tool/script that calls NetServerEnum2 to our
domain controller and tells us when the workgroup shows up... that
might help us establish a pattern or at least know when *not* to look.

> Another thing out there...  If you've got Windows systems,
> particularly older ones, there are two W2K Resource Kit utilities
> that may help.  You're looking for BrowStat and BrowMon.
> Hope that's useful.

Many thanks,

More information about the jCIFS mailing list