Wireshark mailing list archives
WindowsXP Broadcast question
From: Tim Takata <tim.takata () gmail com>
Date: Fri, 5 Feb 2010 21:32:02 -0800
Hi, I'm new to the list and thought I'd give this question a try. Has anyone seen a NBNS Broadcast where all the nodes on a link/ subnet are sending NBNS broadcasts with the following listed in Wireshark's "Info" column: "Name query NB CN.KING.CD<00>" All the nodes on the subnet (10.x.x.252 subnet) are sending this out as a broadcast every 1 to 5 seconds (according to Wireshark's "Time" column). The reason for asking is that we know the network is infected with a type of botnet/zombie type of malware and were concerned about the traffic broadcast that seem excessive and we have been unable to id the meaning of CN.KING.CD but have found google hits associating the CN.KING.CD with a http herder, which *was* used to download a backdoor program. We are not the IT and the IT rep is making progress removing the malware and considers the above Netbios broadcasts to be normal. Insight or tools that we could use to trace the broadcast to an exact process on WinXP? This is a bit of a unique environment and everything we do/find is related and communicated with the IT rep. Thanks in advance! ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- WindowsXP Broadcast question Tim Takata (Feb 06)
- <Possible follow-ups>
- Re: WindowsXP Broadcast question Stuart Kendrick (Feb 07)
- Re: WindowsXP Broadcast question Frank Barta (Feb 07)