Phillip Windell said:Workstation names are not in the IP packets. The IP and MAC are also
useless because Ethernet changes the MAC address with each device it passes
thhrough and Network Address Translation changes the IP#s with every NAT
device it passes through.
So, there really is no way to know the exact machine being used.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Dean said:Server is hosting web sites and so the server is on the internet and the
workstation (could be a hacker, could be a customer) is on another network,
typically on the far end of an ISP connected to their own private lan.
workstation
in
Dean said:How would you explain the way the destination host extracts the workstation
name. Here is an example: I tried to log into a web site using FrontPage and
an incorrect username/password. This will generate the Failure Audit in
Event Log. FP is sitting on my home PC connected to the internet with
RoadRunner cable. There are many hops to the server over many networks (Los
Angeles to Palo alto). Here are the log entries. Note the source address -
that is the IP address on the WAN side of my little dlink router. My PC
address is an internal private address 192.168.0.x with Computer Name
ITDEPT1. Check out the Workstation Name.
-------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/17/2004
Time: 9:43:08 AM
User: NT AUTHORITY\SYSTEM
Computer: BL15
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: frontpage
Domain: accountpro2000.com
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ITDEPT1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 24.171.145.32
Source Port: 63399
--------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 7/17/2004
Time: 9:43:08 AM
User: NT AUTHORITY\SYSTEM
Computer: BL15
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: frontpage
Source Workstation: ITDEPT1
Error Code: 0xC0000064
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Phillip Windell said:Workstation names are not in the IP packets. The IP and MAC are also
useless because Ethernet changes the MAC address with each device it passes
thhrough and Network Address Translation changes the IP#s with every NAT
device it passes through.
So, there really is no way to know the exact machine being used.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
ThereDean said:Server is hosting web sites and so the server is on the internet and the
workstation (could be a hacker, could be a customer) is on another network,
typically on the far end of an ISP connected to their own private lan.
Are you using DNS? What happens if you ping the name of the workstation
in
question?
It should display the ip address.
Louise Bowman
MSFT
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
How can I identify the IP address of the Workstation Name listed in
Failure
Audit events in EventMon? I have installed Ethereal and NetMon.
mustbe a capture filter that will do the job. (I would prefer a filter for
Ethereal if given the choice). Or maybe there is a different way?
Dean said:How would you explain the way the destination host extracts the workstation
name.
Phillip Windell said:I didn't realize it was on a different subnet. I had to go back and look
through the previous posts. Perhaps FrontPage is including it in the
Authentication attempt,...FrontPage does use WebDAV so that may be where it
is comming from. WebDAV is encapsulated in HTTP and probably contains this
information (and more).
I was unable to find specifics on excatly what happens inside WebDAV,...all
of the articals seemed like they were written by a Sales Dept instead of
technical people.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Dean said:I don;t get it. How can it "resolve" the name when the host is on another
unrelated network, not a member of a windows domain, not in dns or wins. And
resolve from what? Where does it get the info?
Steven L Umbach said:Though computer names will not be in the routing header info [for lack of better
name] used at the network layer, they can be in the body of the packet that is sent
as in a netbios session request as would be shown via record <00> using nbtstat-n on
the requesting computer . That is probably where that info is obtained for the event
log. See the last line of paste below of one packet I pulled from Ethereal for
"calling name". I was curious myself as how exactly this occurred. --- Steve
No. Time Source Destination Protocol Info
15 3.102954 192.168.1.52 192.168.1.105 NBSS Session request,
to SERVER1-2000<20> from STEVE-XP<00>
Frame 15 (126 bytes on wire, 126 bytes captured)
Ethernet II, Src: 00:07:95:ec:77:ca, Dst: 00:90:27:ae:0c:31
Internet Protocol, Src Addr: 192.168.1.52 (192.168.1.52), Dst Addr: 192.168.1.105
(192.168.1.105)
Transmission Control Protocol, Src Port: 2033 (2033), Dst Port: netbios-ssn (139),
Seq: 1, Ack: 1, Len: 72
NetBIOS Session Service
Message Type: Session request
Flags: 0x00
Length: 68
Called name: SERVER1-2000<20> (Server service)
Calling name: STEVE-XP<00> (Workstation/Redirector)
Phillip Windell said:I didn't realize it was on a different subnet. I had to go back and look
through the previous posts. Perhaps FrontPage is including it in the
Authentication attempt,...FrontPage does use WebDAV so that may be where it
is comming from. WebDAV is encapsulated in HTTP and probably contains this
information (and more).
I was unable to find specifics on excatly what happens inside WebDAV,...all
of the articals seemed like they were written by a Sales Dept instead of
technical people.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
wins.Dean said:I don;t get it. How can it "resolve" the name when the host is on another
unrelated network, not a member of a windows domain, not in dns or
Andresolve from what? Where does it get the info?
How would you explain the way the destination host extracts the
workstation
name.
It doesn't "extract" it. It resolves it *separately*. This probably
happens
at the time the log entry is created so that it can include the name in
the
log.
Phillip Windell said:I guess this is how "Netbios over TCP/IP" is accomplished?
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Steven L Umbach said:Though computer names will not be in the routing header info [for lack of better
name] used at the network layer, they can be in the body of the packet that is sent
as in a netbios session request as would be shown via record <00> using nbtstat-n on
the requesting computer . That is probably where that info is obtained for the event
log. See the last line of paste below of one packet I pulled from Ethereal for
"calling name". I was curious myself as how exactly this occurred. --- Steve
No. Time Source Destination Protocol Info
15 3.102954 192.168.1.52 192.168.1.105 NBSS Session request,
to SERVER1-2000<20> from STEVE-XP<00>
Frame 15 (126 bytes on wire, 126 bytes captured)
Ethernet II, Src: 00:07:95:ec:77:ca, Dst: 00:90:27:ae:0c:31
Internet Protocol, Src Addr: 192.168.1.52 (192.168.1.52), Dst Addr: 192.168.1.105
(192.168.1.105)
Transmission Control Protocol, Src Port: 2033 (2033), Dst Port: netbios-ssn (139),
Seq: 1, Ack: 1, Len: 72
NetBIOS Session Service
Message Type: Session request
Flags: 0x00
Length: 68
Called name: SERVER1-2000<20> (Server service)
Calling name: STEVE-XP<00> (Workstation/Redirector)
Phillip Windell said:I didn't realize it was on a different subnet. I had to go back and look
through the previous posts. Perhaps FrontPage is including it in the
Authentication attempt,...FrontPage does use WebDAV so that may be where it
is comming from. WebDAV is encapsulated in HTTP and probably contains this
information (and more).
I was unable to find specifics on excatly what happens inside WebDAV,...all
of the articals seemed like they were written by a Sales Dept instead of
technical people.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
I don;t get it. How can it "resolve" the name when the host is on another
unrelated network, not a member of a windows domain, not in dns or wins.
And
resolve from what? Where does it get the info?
How would you explain the way the destination host extracts the
workstation
name.
It doesn't "extract" it. It resolves it *separately*. This probably
happens
at the time the log entry is created so that it can include the name in
the
log.
Phillip Windell said:I didn't realize it was on a different subnet. I had to go back and look
through the previous posts. Perhaps FrontPage is including it in the
Authentication attempt,...FrontPage does use WebDAV so that may be where it
is comming from. WebDAV is encapsulated in HTTP and probably contains this
information (and more).
I was unable to find specifics on excatly what happens inside WebDAV,...all
of the articals seemed like they were written by a Sales Dept instead of
technical people.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Dean said:I don;t get it. How can it "resolve" the name when the host is on another
unrelated network, not a member of a windows domain, not in dns or wins. And
resolve from what? Where does it get the info?
in
the
Steven L Umbach said:Though computer names will not be in the routing header info [for lack of better
name] used at the network layer, they can be in the body of the packet that is sent
as in a netbios session request as would be shown via record <00> using nbtstat-n on
the requesting computer . That is probably where that info is obtained for the event
log. See the last line of paste below of one packet I pulled from Ethereal for
"calling name". I was curious myself as how exactly this occurred. --- Steve
No. Time Source Destination Protocol Info
15 3.102954 192.168.1.52 192.168.1.105 NBSS Session request,
to SERVER1-2000<20> from STEVE-XP<00>
Frame 15 (126 bytes on wire, 126 bytes captured)
Ethernet II, Src: 00:07:95:ec:77:ca, Dst: 00:90:27:ae:0c:31
Internet Protocol, Src Addr: 192.168.1.52 (192.168.1.52), Dst Addr: 192.168.1.105
(192.168.1.105)
Transmission Control Protocol, Src Port: 2033 (2033), Dst Port: netbios-ssn (139),
Seq: 1, Ack: 1, Len: 72
NetBIOS Session Service
Message Type: Session request
Flags: 0x00
Length: 68
Called name: SERVER1-2000<20> (Server service)
Calling name: STEVE-XP<00> (Workstation/Redirector)
Phillip Windell said:I didn't realize it was on a different subnet. I had to go back and look
through the previous posts. Perhaps FrontPage is including it in the
Authentication attempt,...FrontPage does use WebDAV so that may be where it
is comming from. WebDAV is encapsulated in HTTP and probably contains this
information (and more).
I was unable to find specifics on excatly what happens inside WebDAV,...all
of the articals seemed like they were written by a Sales Dept instead of
technical people.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
wins.Dean said:I don;t get it. How can it "resolve" the name when the host is on another
unrelated network, not a member of a windows domain, not in dns or
Andresolve from what? Where does it get the info?
How would you explain the way the destination host extracts the
workstation
name.
It doesn't "extract" it. It resolves it *separately*. This probably
happens
at the time the log entry is created so that it can include the name in
the
log.
Dean said:How do you get that text? I have trie Save As and export with no avail. I
have seen called/calling name in an http packet but they were NULL. In same
session http protocol section in an option ntlm negotiate packet I have
indeed seen the host name and domain name (always the same in my examples).
I wanted to post them.
Steven L Umbach said:Though computer names will not be in the routing header info [for lack of better
name] used at the network layer, they can be in the body of the packet that is sent
as in a netbios session request as would be shown via record <00> using nbtstat-n on
the requesting computer . That is probably where that info is obtained for the event
log. See the last line of paste below of one packet I pulled from Ethereal for
"calling name". I was curious myself as how exactly this occurred. --- Steve
No. Time Source Destination Protocol Info
15 3.102954 192.168.1.52 192.168.1.105 NBSS Session request,
to SERVER1-2000<20> from STEVE-XP<00>
Frame 15 (126 bytes on wire, 126 bytes captured)
Ethernet II, Src: 00:07:95:ec:77:ca, Dst: 00:90:27:ae:0c:31
Internet Protocol, Src Addr: 192.168.1.52 (192.168.1.52), Dst Addr: 192.168.1.105
(192.168.1.105)
Transmission Control Protocol, Src Port: 2033 (2033), Dst Port: netbios-ssn (139),
Seq: 1, Ack: 1, Len: 72
NetBIOS Session Service
Message Type: Session request
Flags: 0x00
Length: 68
Called name: SERVER1-2000<20> (Server service)
Calling name: STEVE-XP<00> (Workstation/Redirector)
Phillip Windell said:I didn't realize it was on a different subnet. I had to go back and look
through the previous posts. Perhaps FrontPage is including it in the
Authentication attempt,...FrontPage does use WebDAV so that may be where it
is comming from. WebDAV is encapsulated in HTTP and probably contains this
information (and more).
I was unable to find specifics on excatly what happens inside WebDAV,...all
of the articals seemed like they were written by a Sales Dept instead of
technical people.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
I don;t get it. How can it "resolve" the name when the host is on another
unrelated network, not a member of a windows domain, not in dns or wins.
And
resolve from what? Where does it get the info?
How would you explain the way the destination host extracts the
workstation
name.
It doesn't "extract" it. It resolves it *separately*. This probably
happens
at the time the log entry is created so that it can include the name in
the
log.