[Samba] Tracking down rogue workgroup

Moray Henderson Moray.Henderson at ict-software.org
Thu Jan 21 10:18:13 MST 2010

Ray Van Dolson wrote:
>> >This seems to be a decent way to tell right when the workgroup shows
>> >up, but I don't think it helps us track down which IP address is
>> >responsible for generating it, or helping us narrow down the subnet
>> >on even... (if I'm wrong, please correct me on that).
>> >
>> >Right now we're sifting through traffic to the domain controller
>> >looking for announcement packets including the workgroup name, and,
>> >presumably an IP of a Local Master Browser or subnet...
>> >
>> >Ray
>> It should do.  The nmblookup command should return an IP address; if
>> add a -S option as well it should give you the node status:
>> $ nmblookup -M MSHOME -S
>> querying MSHOME on
>> MSHOME<1d>
>> Looking up status of
>>         MEDIACENTER     <00> -         B <ACTIVE>
>>         MEDIACENTER     <03> -         B <ACTIVE>
>>         MEDIACENTER     <20> -         B <ACTIVE>
>>         ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
>>         MSHOME          <1d> -         B <ACTIVE>
>>         MSHOME          <1e> - <GROUP> B <ACTIVE>
>>         MSHOME          <00> - <GROUP> B <ACTIVE>
>>         MAC Address = 00-00-00-00-00-00
>Well, will give it a try.  A tcpdump seems to indicate that when I run
>the above command, my workstation is merely sending out a Name query
>broadcast on my local subnet for the workgroup in question.
>Does this query (it does appear to have the recursion bit set)
>propagate to other subnets via the local master browsers or DC's
>(assuming my packet reaches them)?
>Just curious...

I'm not sure exactly how it propagates, but if you run it on a subnet
that can see the rogue workgroup you ought to get an answer.

"To err is human.  To purr, feline"

More information about the samba mailing list