Anonymous net send

stlpnazi

Baseband Member
Messages
32
I apologize for cross-posting, but I recieved no replies from the networking forum. I figured somebody here may be able to help me out.

A friend told me about a program that can send anonymous net send messages. I will soon be in charge of a computer conference in which high school students and teachers are all a part of a large network. We have had problems with net send messages at past conferences. Are there any sniffers or anything that may tell me the original source (preferably an IP) of a net send even if they use an anonymous sender?
 
ethereal will record all network traffic, you can analyse find and chastise culprits accordingly after the event...

but better than this I suggest you just disable the messenger service that allows you to send and recieve messeges.
 
The only problem with that is that we don't have control over all the computers on the network. Some machines are brought in by the people attending the conference, and they may have Windows 98 (as sad as it is...) or 2000 or XP with no SP2. The computers we supply weren't equipped with SP2 this past year, but next year they definitely will be. :)

Can you help me out with any specifics on how a net send will show up in Ethereal? Which protocol is it?

Thanks for your response, I was afraid nobody had any answers.
 
now here is the problem... the protocol is TCP/IPand the port is 139 (RPC) so it's pretty standard traffic you are looking for...

once I get to work I'll record some traffic for you and post what net messenger traffic looks like
 
It's really better than nothing. I'd be glad to look at a giant list of numbers if it meant I would be able to find the person. Thank you so much!

If you don't have time to get an example of the traffic, don't worry about it. I think I can probably get it. Thanks again.
 
it's actually a lot easier to follow the log than I had remembered...


but the best way to do it is to put the scanner in promiscuous mode and use the filter prot 135 (thats the port messeges come on...

then you'll only recieve this traffic, you'll only get IP addresses and will have to use NBTSTAT -A to get usernames...
 
Back
Top Bottom