[Samba] Tracking down rogue workgroup
Ray Van Dolson
rvandolson at esri.com
Thu Jan 21 09:51:58 MST 2010
> >This seems to be a decent way to tell right when the workgroup shows
> >up, but I don't think it helps us track down which IP address is
> >responsible for generating it, or helping us narrow down the subnet its
> >on even... (if I'm wrong, please correct me on that).
> >Right now we're sifting through traffic to the domain controller
> >looking for announcement packets including the workgroup name, and,
> >presumably an IP of a Local Master Browser or subnet...
> It should do. The nmblookup command should return an IP address; if you
> add a -S option as well it should give you the node status:
> $ nmblookup -M MSHOME -S
> querying MSHOME on 126.96.36.199
> 188.8.131.52 MSHOME<1d>
> Looking up status of 184.108.40.206
> MEDIACENTER <00> - B <ACTIVE>
> MEDIACENTER <03> - B <ACTIVE>
> MEDIACENTER <20> - B <ACTIVE>
> ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
> MSHOME <1d> - B <ACTIVE>
> MSHOME <1e> - <GROUP> B <ACTIVE>
> MSHOME <00> - <GROUP> B <ACTIVE>
> MAC Address = 00-00-00-00-00-00
Well, will give it a try. A tcpdump seems to indicate that when I run
the above command, my workstation is merely sending out a Name query
broadcast on my local subnet for the workgroup in question.
Does this query (it does appear to have the recursion bit set)
propagate to other subnets via the local master browsers or DC's
(assuming my packet reaches them)?
More information about the samba