Ray Van Dolson wrote: >> >This seems to be a decent way to tell right when the workgroup shows >> >up, but I don't think it helps us track down which IP address is >> >responsible for generating it, or helping us narrow down the subnet its >> >on even... (if I'm wrong, please correct me on that). >> > >> >Right now we're sifting through traffic to the domain controller >> >looking for announcement packets including the workgroup name, and, >> >presumably an IP of a Local Master Browser or subnet... >> > >> >Ray >> >> It should do. The nmblookup command should return an IP address; if you >> add a -S option as well it should give you the node status: >> >> $ nmblookup -M MSHOME -S >> querying MSHOME on 66.255.255.255 >> 66.102.9.104 MSHOME<1d> >> Looking up status of 66.102.9.104 >> MEDIACENTER <00> - B <ACTIVE> >> MEDIACENTER <03> - B <ACTIVE> >> MEDIACENTER <20> - B <ACTIVE> >> ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> >> MSHOME <1d> - B <ACTIVE> >> MSHOME <1e> - <GROUP> B <ACTIVE> >> MSHOME <00> - <GROUP> B <ACTIVE> >> >> MAC Address = 00-00-00-00-00-00 > >Well, will give it a try. A tcpdump seems to indicate that when I run >the above command, my workstation is merely sending out a Name query >broadcast on my local subnet for the workgroup in question. > >Does this query (it does appear to have the recursion bit set) >propagate to other subnets via the local master browsers or DC's >(assuming my packet reaches them)? > >Just curious... > >Thanks! >Ray
I'm not sure exactly how it propagates, but if you run it on a subnet that can see the rogue workgroup you ought to get an answer. Moray. "To err is human. To purr, feline" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
