This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

In a recent capture, I noticed that all NetBIOS machines on the network behaved as expected with NBNS registration broadcast packets in an environment without a WINS server (i.e. they all periodically asserted their name and workgroup). The process was identical except for one IP which frequently sent a NBNS registration with a name and workgroup that mimicked one of the other machines on the network, cycling through all of the other machine names in an irregular fashion. So is this machine a NetBIOSoTCPIP attack vector, or am I just making things up?

asked 20 Jan '16, 10:05

msumbufu's gravatar image

msumbufu
6112
accept rate: 0%

To me it sounds like an infected machine, yes, at least if the capture confirms that these packets systematically come from the same IP and MAC address.

Another explanation could be some weird routing loop involving a NAT, causing the original packets from their legal sources to be forwarded back to the same LAN from which they came with NATed source IP.

So what is the intended role of the machine behaving this way? Is it meant to be an ordinary workstation or it should do something more sophisticated intentionally?

(21 Jan '16, 05:04) sindy
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×15
×5

question asked: 20 Jan '16, 10:05

question was seen: 1,066 times

last updated: 21 Jan '16, 05:04

p​o​w​e​r​e​d by O​S​Q​A