[Samba] Tracking down rogue workgroup
Moray.Henderson at ict-software.org
Thu Jan 21 02:37:25 MST 2010
Ray Van Dolson wrote:
>Hi folks. Periodically a workgroup shows up on our network with an
>inappropriate name. We're trying to find the best way to track this
>down as it's quite intermittent.
>We can obviously look for announcement messages (in broadcast packets
>on ports 138/139), but this must be done on each subnet and we have
>enough subnets that this would be rather tedious and at best, a last
>The workgroup is available to machines in every subnet, so apparently
>its presence is getting relayed back to the domain controllers...
>For protocol gurus: is there a particular packet we can look for on the
>domain controllers that could help us narrow down our search to the
>right subnet? A message from the local master browser sending a list
>of workgroups perhaps?
>Or a message updating WINS entries?
>Any suggestions would be appreciated!
Have cron execute a short script every few minutes looking for the
workgroup, and emailing you what it finds:
nmblookup -M MSHOME > /tmp/workgroup.txt
if ! grep -q failed /tmp/workgroup.txt; then
mail -s "Workgroup found" root < /tmp/workgroup.txt
Vista machines tend to announce themselves as workgroups, so if you have
anyone bringing a laptop into your network, or connecting through a VPN
link, you can see this sort of thing.
"To err is human. To purr, feline"
More information about the samba