This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We have one workstation which sends out 40 LLMNR packets every 30 seconds (marked "Standard query A") It's been checked every way possible for malware and rootkits, I feel pretty confident that it's clean. But what gives? None of the other machines on our network broadcast anywhere near this much. Or am I obsessing over nothing?

-Roger

asked 11 Oct '12, 11:36

Shrubber's gravatar image

Shrubber
1111
accept rate: 0%

You mean LLMNR query? If so, does the workstation get a response?

(12 Oct '12, 01:42) rakki

Yes, Standard query A, The workstation being queried is online, but I haven't seen any responses. Both systems are working Windows 7 pro workstations. There are files being shared, which works fine regardless. Thinking of turning off LLMNR completely on both workstations..

(12 Oct '12, 05:55) Shrubber

At some point i had these LLMNR 10-random-character multicasts flooding the network with a rate of 30 packets per second, all coming from one workstation.

(21 Mar '13, 03:44) Joop

Please take a look at the following question and my answer

http://ask.wireshark.org/questions/12840/weird-nbns-queries

Those queries could well be generated by a feature of the chrome browser. It does random name lookups for some purpose.

What do the LLMNR queries look like in your network? Are they for random names? If so, please check if Chrome is running on that system. If so, close the browser and the check if the LLMNR queries stop.

If the name queries are not random (and Chrome is not used), can you please post a sample capture of the queries somewhere (cloudshark.org)?

Regards
Kurt

permanent link

answered 13 Oct '12, 01:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Random name lookups(DNS/NBNS/LLMNR) related to Chrome can occur when using a proxy auto-config script on your network. Changing the proxy settings to disable automatic configuration is one way to test/workaround that behavior.

Chrome does random, 10 character name lookups on startup in an effort to prevent nefarious activities of some ISP's. However, if the PAC script has an error Chrome will re-rerun it... repeatedly. Subsequently any name lookups in the script would be called until Chrome is shutdown.

The fix is already in the first release channel. A few random lookups during the first page load are normal though. https://tools.google.com/dlpage/chromesxs

-Todd

permanent link

answered 15 Nov '12, 12:51

Tenu1000's gravatar image

Tenu1000
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×9
×5

question asked: 11 Oct '12, 11:36

question was seen: 33,509 times

last updated: 03 Apr '14, 02:21

p​o​w​e​r​e​d by O​S​Q​A