[Samba] Tracking down rogue workgroup

Ray Van Dolson rvandolson at esri.com
Thu Jan 21 08:58:09 MST 2010

On Thu, Jan 21, 2010 at 01:37:25AM -0800, Moray Henderson wrote:
> Ray Van Dolson wrote:
> >Hi folks.  Periodically a workgroup shows up on our network with an
> >inappropriate name.  We're trying to find the best way to track this
> >down as it's quite intermittent.
> >
> >We can obviously look for announcement messages (in broadcast packets
> >on ports 138/139), but this must be done on each subnet and we have
> >enough subnets that this would be rather tedious and at best, a last
> >resort.
> >
> >The workgroup is available to machines in every subnet, so apparently
> >its presence is getting relayed back to the domain controllers...
> >
> >For protocol gurus: is there a particular packet we can look for on the
> >domain controllers that could help us narrow down our search to the
> >right subnet?  A message from the local master browser sending a list
> >of workgroups perhaps?
> >
> >Or a message updating WINS entries?
> >
> >Any suggestions would be appreciated!
> >
> >Thanks,
> >Ray
> Have cron execute a short script every few minutes looking for the
> workgroup, and emailing you what it finds:
> nmblookup -M MSHOME > /tmp/workgroup.txt
> if ! grep -q failed /tmp/workgroup.txt; then
>     mail -s "Workgroup found" root < /tmp/workgroup.txt
> fi
> Vista machines tend to announce themselves as workgroups, so if you have
> anyone bringing a laptop into your network, or connecting through a VPN
> link, you can see this sort of thing.

This seems to be a decent way to tell right when the workgroup shows
up, but I don't think it helps us track down which IP address is
responsible for generating it, or helping us narrow down the subnet its
on even... (if I'm wrong, please correct me on that).

Right now we're sifting through traffic to the domain controller
looking for announcement packets including the workgroup name, and,
presumably an IP of a Local Master Browser or subnet...


More information about the samba mailing list