Re: Unknown workgroup in Microsoft Windows Network

From: Tony Gordon (
Date: 11/14/02

  • Next message: Jason Normanton: "RE: Active Directory network security"

    From: "Tony Gordon" <>
    Date: Thu, 14 Nov 2002 15:49:54 -0600

    If all previous ideas do not work, try running NetMon or any other
    "sniffer" on the Domain master browser. It will receive a browser
    announce frame sooner or later. The frame will tell you which browser
    supplied the name. Doing strings searches in a large trace could be an
    issue. Some sniffers are better at it then others. Then follow the
    browser chain until you find the one that is on the same subnet as the
    "offender". That will give the IP address of the system that send the
    browser announce frame.

    Somewhat painful process, so use it as a last resort. I had to use it
    when nothing else worked.

    Thank you, Tony.
    Tony Gordon, Windows 2000 MCSE
    Windows Server Infrastructure
    Phone: 847.295.5000 x14534
    Fax: 847.295.8877
    Hewitt Associates
    11/12/2002 03:13 PM

            Subject: Unknown workgroup in Microsoft Windows Network

    Recently a new workgroup name appeared in our organizations "Network
    Neighborhood > Microsoft Windows Network" The workgroup or domain is
    called "Gotcha." Not a particularly pleasing name for a workgroup.

    Having verified that no staff members have plugged in new hardware
    and verifying that there are no unauthorized logins to our wireless
    I'm somewhat at a loss to explain this. I found information on an SMB hack

    that, as a side-effect causes a rogue workgroup to show up in Network
    Neighborhood in order to sniff cleartext passwords from Windows 95
    but our firewall blocks ports 137 and 139, and there's nothing unusual in
    firewall logs.

    My question is this--what's the best way to track down an IP address
    associated with a domain or workgroup listing in Network Neighborhood. Is
    possible? This would at least give me an idea of where on the physical
    this is coming from. Does anyone have recommendations on tracing this

    Thank you,