I see plenty of "normal" NBMS queries, in that the host names are ones I recognize. These ones...notsomuch. Any ideas? Thx ==== 613 352.118450000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB AAPFPTPQUG<00> 614 352.118462000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB JSHNNMKQEJ<00> 615 352.118741000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB SIXXNSTOSD<00> 618 352.882326000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB SIXXNSTOSD<00> 619 352.882515000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB JSHNNMKQEJ<00> 620 352.882625000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB AAPFPTPQUG<00> 621 353.646711000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB AAPFPTPQUG<00> 622 353.646889000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB JSHNNMKQEJ<00> 623 353.647000000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB SIXXNSTOSD<00> asked 18 Jul '12, 21:51  sharkysometimes edited 19 Jul '12, 03:15  Kurt Knochner ♦ |
One Answer:
this is most certainly Google Chrome. It's a feature called DNS prefetching.
See also an old question: http://ask.wireshark.org/questions/3697/odd-dns-queries-malware TEST: I just checked again. The latest Chrome release still does that during startup. Client: Windows XP SP2 with "Netbios over TCP" enabled.
Client: Windows XP SP2 with "Netbios over TCP" disabled -> no NBNS queries.
UPDATE: Could be malware as well. Please check Chrome first. If there is no Chrome on the computer (source IP), I suggest to scan that machine for malware. Regards answered 18 Jul '12, 23:58 Kurt Knochner ♦ edited 19 Jul '12, 03:30 showing 5 of 6 show 1 more comments |
They're seeing NBNS queries, not DNS queries. Perhaps the Windows name resolver is turning whatever API Chrome is using for prefetching into NBNS queries, but this might be something else.
Chrome just asks the local resolver and it depends on the resolver in what order it tries to resolve the names. That's configureable on windows. If the DNS server does not answer, it may try NBNS (depends on config).
Yes, it might be something else, hence "most certainly" ;-))
I have Chrome installed, and tt does appear related to Chrome, as I see it consistently every time Chrome starts up. There is an option in Chrome to turn off pre-fetching of DNS, and this does cut down the "non-garbage" NBMS queries, but the weird-looking ones remain. So for now, I'm considering this mystery solved. Thanks for the help!!
what do you mean by "the weird ones"?
"Normal" ones look like this:
613 352.118450000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NBNS 92 Name query NB somesite.com<xx>
Weird ones look like the ones in my original post.
EDIT: "SIXXNSTOSD" = weird. :)
ah, o.k. The weird ones are those generated by Chrome! See my samples at cloudshark.