NetBios - References to OLD computers/Servers in Wireshark?

[burgemaster]

Hi All,

We recently had major network slowdowns on our network.
While trying to find the cause I started using WireShark to analyse the traffic.

I found that our workstations are Querying old servers that in some cases were on the old domain?

in wireshark I get repeatadly when a user logs in:

SOURCE-IP TRAGET-IP NBNS Name Query NB HUMPHREY<20>

HUMPHREY was our old PDC before the network was rebuilt a few years back, and CMIS-NEW was the new facility server that was only names CMIS-NEW for a few days until the old CMIS server was decomissioned?

One of our servers also used to be called CMIS-NEW before it was renamed to FACILITY.

I am now getting from that server:

SOURCE-IP: FACILITY TRAGET-IP NBNS Name Query NB CMIS-NEW<20>

Also workstations randomly cause:
SOURCE-IP TRAGET-IP NBNS Name Query NB WPAD<00>

I original thought it was a script referencing the old servers but I cant find anything anywhere.
Nothing in GP also as ive moved it into the Computers OU where no GPs are called.
Theres also nothing in DNS

Can anyone please shed any light?

PS. domain admin does not cause these references.

[AIT]

Hi All,

We recently had major network slowdowns on our network.
While trying to find the cause I started using WireShark to analyse the traffic.

I found that our workstations are Querying old servers that in some cases were on the old domain?

in wireshark I get repeatadly when a user logs in:

SOURCE-IP TRAGET-IP NBNS Name Query NB HUMPHREY<20>

HUMPHREY was our old PDC before the network was rebuilt a few years back, and CMIS-NEW was the new facility server that was only names CMIS-NEW for a few days until the old CMIS server was decomissioned?

One of our servers also used to be called CMIS-NEW before it was renamed to FACILITY.

I am now getting from that server:

SOURCE-IP: FACILITY TRAGET-IP NBNS Name Query NB CMIS-NEW<20>

Also workstations randomly cause:
SOURCE-IP TRAGET-IP NBNS Name Query NB WPAD<00>

I original thought it was a script referencing the old servers but I cant find anything anywhere.
Nothing in GP also as ive moved it into the Computers OU where no GPs are called.
Theres also nothing in DNS

Can anyone please shed any light?

PS. domain admin does not cause these references.

I currently have exactly the same problem same wireshark results.. more specificaly the workstations are looking for the old print server (only server we have changed) p.s. workstations have been re imaged since the change so should have no refrence to the old servers name.

i would greatly apreciate a solutions..

in somecase looks like a network storm. But rather just a mass broadcast for the old server.

i have been through everything group policies dns records nothing.

p.s. happens on new windows 7 machines and xp machines.

[AIT]

Did you make any changes that you noticed suddenly cause this effect.

I am trying to find any correlation between yours and mine. As they are so similar.

P.s. I would love to find a solutions as its beginning to bug me now!! lol

[burgemaster]

No changes that we know of.

Our reference to HUMPHREY was the old PDC from the old network, we have had a full rebuild since then, but we did reuse some GP`s and Start Menu`s etc.

We are considering completely disabling netBIOS.

I think it can be done in DCHP with a simple checkbox.

Does anyone if the also needs to be a setting changed on the workstations? or does making the change on the DCHP override the workstation settings?

OR do all workstations have to also be set to:
USE NETBIOS SETTINGS FROM THE DHCP SERVER

If i remember you cant change these settings via Group Policy either

[AIT]

i have just check our workstations and there actually set to use netbios settings from the dhcp server. so i have set netbios over tcp to be off and we shall see what happens.

[burgemaster]

How did it go today?

We also turned off NetBIOS. Everything seems good. All shares and folders appear to be working.

Have you turned off NetBIOS on your servers? DCs ?

I now have to go around any machines with Static IPs and turn them it off manually on them.

In wireshard there are no longer any floods of NBNS traffic, whether this will help our network speed I can only hope !!!

[AIT]

How did it go today?

We also turned off NetBIOS. Everything seems good. All shares and folders appear to be working.

Have you turned off NetBIOS on your servers? DCs ?

I now have to go around any machines with Static IPs and turn them it off manually on them.

In wireshard there are no longer any floods of NBNS traffic, whether this will help our network speed I can only hope !!!

Nothings stopped working....

turning netbios off on the servers today. / static ip machines.

havent done a wireshark yet. but seems a little better.

i would like to just say we didnt notice a slow down in traffic..

[burgemaster]

good stuff. Glad all is ok.

Not sure if your bursar`s use FMS, but apparently that software uses NetBios still (but can be configured to us TCP/IP)

NEXT onto "Multicast Filtering" !!

Do you have this turn off on all your switches?

I dont think we have any software that uses this protocol
Apparently Ghost and some network Cameras still use multicasting.

Would love to hear what other networks have got enabled / disbaled?

The less unwanted traffic/protocols travelling around the network surely is a good thing?

Or are we making a un-noticable miniscule difference to traffic?

[AIT]

good stuff. Glad all is ok.

Not sure if your bursar`s use FMS, but apparently that software uses NetBios still (but can be configured to us TCP/IP)

NEXT onto "Multicast Filtering" !!

Do you have this turn off on all your switches?

I dont think we have any software that uses this protocol
Apparently Ghost and some network Cameras still use multicasting.

Would love to hear what other networks have got enabled / disbaled?

The less unwanted traffic/protocols travelling around the network surely is a good thing?

Or are we making a un-noticable miniscule difference to traffic?

i have multicast filtering to block on main uplinks.

[ricki]

Hi

I know this will sound a silly idea but have you checked the settings in dhcp. If a machine is referenced in here say as a time, dns server it will have machines looking for machines that dont exist.

Also have a look in dns on the replication if other dns and domain controllers are trying to replicate with machines that dont exist this will also cause traffic.

Richard

[AIT]

Hi

I know this will sound a silly idea but have you checked the settings in dhcp. If a machine is referenced in here say as a time, dns server it will have machines looking for machines that dont exist.

Also have a look in dns on the replication if other dns and domain controllers are trying to replicate with machines that dont exist this will also cause traffic.

Richard

yup checked that and nope not in dhcp or dns.

hence why we are getting netbios traffic

[Linfit]

I work on the principle that if we don't actively need it, we switch it off. It makes only a tiny difference on a properly configured infrastructure in terms of reducing the number of packets, but I just like things to be tidy; If I have a spare half hour I will look at the wireshark traces and see if there is anything that crops up that can be turned off. It also makes looking for dodgy traffic easier on Wireshark if you have all the harmless chatter removed.

The main culprits out of the box seem to be network printers; left to their own devices, they will chatter away with all sorts of out of date rubbish, like IPX, Netbios, HP's own protocols...they are always a good place to start for reducing background chatter.

Sadly, we cannot remove Netbios completly, as our VLE requires it still at the moment.

[AIT]

I work on the principle that if we don't actively need it, we switch it off. It makes only a tiny difference on a properly configured infrastructure in terms of reducing the number of packets, but I just like things to be tidy; If I have a spare half hour I will look at the wireshark traces and see if there is anything that crops up that can be turned off. It also makes looking for dodgy traffic easier on Wireshark if you have all the harmless chatter removed.

The main culprits out of the box seem to be network printers; left to their own devices, they will chatter away with all sorts of out of date rubbish, like IPX, Netbios, HP's own protocols...they are always a good place to start for reducing background chatter.

Sadly, we cannot remove Netbios completly, as our VLE requires it still at the moment.

yup i agree printers are one of the worst.

[ricki]

HI

Did this server used to deploy software like office or was it used as a print server. Office when it first starts a profile will ask to talk to the server location for files to put in the profile of the new user. Installed printers on computers will try and reconnect to the print server.

You also get programs that have to authenticate against a server to say a dongle or enterprise version of software.

When you find a machine that is broardcasting search the register for the old server name. I have then updated the keys and exported them and installed the new reg keys into machines individually or using gpo

Richard

[AIT]

HI

Did this server used to deploy software like office or was it used as a print server. Office when it first starts a profile will ask to talk to the server location for files to put in the profile of the new user. Installed printers on computers will try and reconnect to the print server.

You also get programs that have to authenticate against a server to say a dongle or enterprise version of software.

Richard

was only a print server. However all machines on the network were re imaged after that had been removed. so 100% have no record of its existence.
I have turned netbios off and has stopped the broadcast but im still interested to find the actual cause.