[afnog] how to identify NetBIOS information using linux
Brian Candler
B.Candler at pobox.com
Wed May 18 23:23:43 EAT 2005
On Wed, May 18, 2005 at 10:11:23AM +0200, Sergio Carrilho wrote:
> Hi all,
> I have a machine on a remote network which has a virus flooding the link.
> The NAT machine in that site is a linux box (the LAN accesses the
> internet via that box) under my control. I've identified the IP of the
> machine which has the virus, but I want to have access to the NetBIOS
> information of the machine so I can know exactly which machine it is
> and to whom it belongs in order to remove the virus.
>
> So the question is: How to use the remote NAT linux box to get the
> NetBIOS information of a certain IP?
1. If you are running a DHCP server, your DHCP leases file may have this
information.
2. tcpdump -i eth0 -n -s1500 -X host x.x.x.x and broadcast
or:
tcpdump -i eth0 -n -s1500 -X host x.x.x.x and udp port 137 or 138 or 139
(where 'eth0' is your internal ethernet interface) and wait 60 seconds. Look
for its NetBIOS announcements - may not be particularly useful if it is
flooding the link with NetBIOS traffic though.
3. "ping x.x.x.x" then "arp -an" will let you find the machine's MAC
address. If the remote site has a switch, then log into that switch, and
show its forwarding table. This will then tell you which port that machine
is plugged into; follow the cable back to the machine and unplug, or just
disable the switch port. This is probably the most reliable way (and doesn't
involve NetBIOS at all), but depends on you having a switch rather than a
hub.
4. At worst, unplug machines one at a time until the traffic stops or you
cannot ping x.x.x.x
Regards,
Brian.
More information about the afnog
mailing list