General tests

First, take a general look at the network. Then, look for suspicious patterns:

  1. Connect Wireshark to the network. Make sure the workstation running Wireshark is on the same broadcast domain as the clients that are having the problems.
  2. Configure the display filter nbns.flags.response == 0. It will give you the NBNS requests. You will see many broadcasts, as shown in the following screenshot:
Figure 15.1: NBNS packet types
  1. As you saw in the preceding screenshot, in the capture file you will see the following:
    • NBNS registration packets (1): In the examples, there are registrations with the names WORKGROUP and ETTI. The NBNS server will accept or reject the name registration by issuing a positive or negative name registration response to the requesting node. If none is received, the requesting node will assume it is OK.
    • NBNS queries (2, 3, and 4): Queries are sent for the name specified. If there is an NBNS server (this is the domain controller), you will see one of the following responses:
      • Requested name does not exist (code 3)
      • No error (code 0)
  1. Make sure there is no registration or any other requests coming from addresses that start with 169.254 (5). These are Automatic Private IP Addressing (APIPA) addresses. This actually means that the PC is configured to accept addresses automatically (by DHCP) and it has not received one.
  2. There are many announcement packets as well. These will be broadcast on UDP port 138. Here, you will see that every station announces its capabilities: workstation, server, print server, and so on. For example, you can see here that:
    • 172.16.100.10 name is FILE-SRV, and it functions like a workstation, server, and SQL server (1)
    • 172.16.100.204 name is GOLF, and it functions like a workstation, server, and a print queue server (2)
Figure 15.2: NetBIOS service announcement
  1. There are some worms and viruses that are using the NetBIOS name service to scan the network. Look for unusual patterns such as massive scanning, high broadcast rate, and so on.
  2. Verify that you don't have too many broadcasts. 5 to 10 broadcast/minute/device are reasonable. More than this usually means a problem.
There are hundreds of message scenarios you can see here. Use the Wireshark expert system, Google, and common sense to find out the problem.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.181.186