This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

I see plenty of "normal" NBMS queries, in that the host names are ones I recognize. These ones...notsomuch.

Any ideas?

Thx

====

613 352.118450000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB AAPFPTPQUG<00>

614 352.118462000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB JSHNNMKQEJ<00>

615 352.118741000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB SIXXNSTOSD<00>

618 352.882326000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB SIXXNSTOSD<00>

619 352.882515000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB JSHNNMKQEJ<00>

620 352.882625000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB AAPFPTPQUG<00>

621 353.646711000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB AAPFPTPQUG<00>

622 353.646889000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB JSHNNMKQEJ<00>

623 353.647000000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB SIXXNSTOSD<00>

asked 18 Jul '12, 21:51

sharkysometimes's gravatar image

sharkysometimes
1123
accept rate: 0%

edited 19 Jul '12, 03:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


this is most certainly Google Chrome. It's a feature called DNS prefetching.

https://isc.sans.edu/diary.html?storyid=10312
https://sites.google.com/a/chromium.org/dev/developers/design-documents/dns-prefetching

See also an old question: http://ask.wireshark.org/questions/3697/odd-dns-queries-malware

TEST: I just checked again. The latest Chrome release still does that during startup.

Client: Windows XP SP2 with "Netbios over TCP" enabled.

http://cloudshark.org/captures/77c5cb6a3453

Client: Windows XP SP2 with "Netbios over TCP" disabled -> no NBNS queries.

http://cloudshark.org/captures/0c48d0b6ad01

UPDATE: Could be malware as well. Please check Chrome first. If there is no Chrome on the computer (source IP), I suggest to scan that machine for malware.

Regards
Kurt

permanent link

answered 18 Jul '12, 23:58

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Jul '12, 03:30

They're seeing NBNS queries, not DNS queries. Perhaps the Windows name resolver is turning whatever API Chrome is using for prefetching into NBNS queries, but this might be something else.

(19 Jul '12, 00:40) Guy Harris ♦♦

Chrome just asks the local resolver and it depends on the resolver in what order it tries to resolve the names. That's configureable on windows. If the DNS server does not answer, it may try NBNS (depends on config).

Yes, it might be something else, hence "most certainly" ;-))

(19 Jul '12, 03:29) Kurt Knochner ♦

I have Chrome installed, and tt does appear related to Chrome, as I see it consistently every time Chrome starts up. There is an option in Chrome to turn off pre-fetching of DNS, and this does cut down the "non-garbage" NBMS queries, but the weird-looking ones remain. So for now, I'm considering this mystery solved. Thanks for the help!!

(19 Jul '12, 05:03) sharkysometimes

but the weird-looking ones remain.

what do you mean by "the weird ones"?

(19 Jul '12, 06:01) Kurt Knochner ♦

"Normal" ones look like this:

613 352.118450000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB somesite.com<xx>

Weird ones look like the ones in my original post.

EDIT: "SIXXNSTOSD" = weird. :)

(19 Jul '12, 10:29) sharkysometimes

ah, o.k. The weird ones are those generated by Chrome! See my samples at cloudshark.

(19 Jul '12, 10:35) Kurt Knochner ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×15
×12

question asked: 18 Jul '12, 21:51

question was seen: 21,795 times

last updated: 19 Jul '12, 10:35

p​o​w​e​r​e​d by O​S​Q​A