[Samba] Tracking down rogue workgroup

Moray Henderson Moray.Henderson at ict-software.org
Thu Jan 21 02:37:25 MST 2010

Ray Van Dolson wrote:
>Hi folks.  Periodically a workgroup shows up on our network with an
>inappropriate name.  We're trying to find the best way to track this
>down as it's quite intermittent.
>We can obviously look for announcement messages (in broadcast packets
>on ports 138/139), but this must be done on each subnet and we have
>enough subnets that this would be rather tedious and at best, a last
>The workgroup is available to machines in every subnet, so apparently
>its presence is getting relayed back to the domain controllers...
>For protocol gurus: is there a particular packet we can look for on the
>domain controllers that could help us narrow down our search to the
>right subnet?  A message from the local master browser sending a list
>of workgroups perhaps?
>Or a message updating WINS entries?
>Any suggestions would be appreciated!

Have cron execute a short script every few minutes looking for the
workgroup, and emailing you what it finds:

nmblookup -M MSHOME > /tmp/workgroup.txt
if ! grep -q failed /tmp/workgroup.txt; then
    mail -s "Workgroup found" root < /tmp/workgroup.txt

Vista machines tend to announce themselves as workgroups, so if you have
anyone bringing a laptop into your network, or connecting through a VPN
link, you can see this sort of thing.

"To err is human.  To purr, feline"

More information about the samba mailing list