[Samba] Tracking down rogue workgroup

Moray Henderson Moray.Henderson at ict-software.org
Fri Jan 22 04:18:57 MST 2010

Ray Van Dolson wrote:
>On Thu, Jan 21, 2010 at 09:18:13AM -0800, Moray Henderson wrote:
>> Ray Van Dolson wrote:
>> >> >This seems to be a decent way to tell right when the workgroup
>> >> >up, but I don't think it helps us track down which IP address is
>> >> >responsible for generating it, or helping us narrow down the
>> its
>> >> >on even... (if I'm wrong, please correct me on that).
>> >> >
>> >> >Right now we're sifting through traffic to the domain controller
>> >> >looking for announcement packets including the workgroup name,
>> >> >presumably an IP of a Local Master Browser or subnet...
>> >> >
>> >> >Ray
>> >>
>> >> It should do.  The nmblookup command should return an IP address;
>> you
>> >> add a -S option as well it should give you the node status:
>> >>
>> >> $ nmblookup -M MSHOME -S
>> >> querying MSHOME on
>> >> MSHOME<1d>
>> >> Looking up status of
>> >>         MEDIACENTER     <00> -         B <ACTIVE>
>> >>         MEDIACENTER     <03> -         B <ACTIVE>
>> >>         MEDIACENTER     <20> -         B <ACTIVE>
>> >>         ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
>> >>         MSHOME          <1d> -         B <ACTIVE>
>> >>         MSHOME          <1e> - <GROUP> B <ACTIVE>
>> >>         MSHOME          <00> - <GROUP> B <ACTIVE>
>> >>
>> >>         MAC Address = 00-00-00-00-00-00
>> >
>> >Well, will give it a try.  A tcpdump seems to indicate that when I
>> >the above command, my workstation is merely sending out a Name query
>> >broadcast on my local subnet for the workgroup in question.
>> >
>> >Does this query (it does appear to have the recursion bit set)
>> >propagate to other subnets via the local master browsers or DC's
>> >(assuming my packet reaches them)?
>> >
>> >Just curious...
>> >
>> >Thanks!
>> >Ray
>> I'm not sure exactly how it propagates, but if you run it on a subnet
>> that can see the rogue workgroup you ought to get an answer.
>Unfortunately, Linux clients can't see it (at least not with nbmlookup
>-M -- -), but Windows clients can.  The Windows clients emit a unicast
>LANMAN NetServerEnum2 request to their browse master, and the browse
>master returns a response with a list of workgroups many of which are
>not on the local subnet...
>It's not clear to me if the browse master is getting the out of subnet
>workgroups in its list from the domain browser (or domain controller,
>whatever), or elsewhere...
>Right now we're going to set up a port span on our domain controller
>and look for workgroup announcement messages or WINS updates containing
>the workgroup name from local master browsers....
>Good times :)

nmblookup can use a unicast query too, with the -U option:

    -U <unicast address>
        Do a unicast query to the specified address or host unicast
        address. This option (along with the -R option) is needed 
        to query a WINS server.

"To err is human.  To purr, feline"

More information about the samba mailing list