wxp SP2 host responds to "nmblookup HOST" but not "nmblookup *"

Christopher R. Hertel crh at ubiqx.mn.org
Tue Dec 28 19:22:09 GMT 2004 

On Tue, Dec 28, 2004 at 10:52:03AM -0800, David Wuertele wrote:
:
> Re: wxp SP2 host responds to "nmblookup HOST" but not "nmblookup *"

Yes, I noticed that as well.  Annoying, eh?

> Executive summary: Is there some other method to enumerate all SMB
> hosts on a LAN than a wildcard NBT node status query to the broadcast
> address?

This bug in XP breaks that rather nicely, doesn't it?

> I am trying to automate the enumeration of available shares on my LAN.
> In the process, I enumerate the SMB servers by doing a broadcast
> query.  The assumption is that if the Windows host is node type B,M,
> or H, it will respond.  However, I have found some hosts that don't
> respond to the wildcard query even if they are in M or H mode.

Yep.  You might try the following:

- Turn off the Broadcast bit and see what happens.
- Try the "*SMBSERVER" name.  *Some* systems will respond to this (though 
  they probably shouldn't).

> Example: Windows XP host "DAVE" is Node Type "Hybrid" and has IP
> address 192.168.0.7.  Firewalling is completely turned off.  On a
> linux box on the same LAN, I type
> 
>   # nmblookup '*'
>   creating lame upcase table
>   creating lame lowcase table
>   querying * on 192.168.0.255
>   192.168.0.15 *<00>
>   #
> 
> Apparently nmblookup found another WXP host --- but not "DAVE".  Why
> not?  When I ask for "DAVE" by name, he answers:
> 
>   # nmblookup 'DAVE'
>   creating lame upcase table
>   creating lame lowcase table
>   querying DAVE on 192.168.0.255
>   192.168.0.7 DAVE<00>
>   # 

What node type is 192.168.0.15?  Is it a 'B'?
Is it running XP-SP2?

> When I query DAVE by his IP address, I also get a response:
> 
>   # nmblookup -A 192.168.0.7
>   creating lame upcase table
>   creating lame lowcase table
>   Looking up status of 192.168.0.7
>           DAVE            <00> -         M <ACTIVE> 
>           BOGUSWORKGROUP  <00> - <GROUP> M <ACTIVE> 
>           DAVE            <20> -         M <ACTIVE> 
>           BOGUSWORKGROUP  <1e> - <GROUP> M <ACTIVE> 
> 
>           MAC Address = 00-04-76-DA-6A-C3
> 
>   # 
> 
> But I can't query by name or by address, because those are the unknown
> things I'm trying to discover in the first place!  The wildcard
> broadcast query has always worked before... I wonder if SP2 has
> changed something?

Quite possibly.  I now have an XP-SP2 system to test against.  I've never 
tested pre-SP2.  With SP2, I see the same misbehavior.

> Looking into the source for nmblookup, it is calling
> namequery.c:node_status_query(), which does a NBT node status query.
> 
> Is there some other method to discover SMB hosts than a wildcard NBT
> node status query to the broadcast address?

What happens when you query for BOGUSWORKGROUP<1e> ?

If node Dave responds then you might be able to solve your problem using a 
multi-step approach.

1) Do the broadcast name query.
   --or--
   Query for the MSBROWSE name.

2) Query all of the nodes returned for their workgroup name
   (do a Node Status query and look for <1E> or <00> group names).

3) Query for all of the workgroup names returned.

Nasty, eh?

Chris -)-----


-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list