Trace Net Send

Hi

Could someone tell me how to trace a "net send"?

I'm in college and some ***** keeps sending me net sends.

I'd like to be able to (a) trace them, so I can report the sender for harassment(and possibly kick the **** out of him/her), and (b) stop them from popping up, ie disable them.

Any suggestions
LVL 6
aolXFTAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DexstarCommented:
aolXFT:

> I'd like to be able to (a) trace them, so I can report the sender for
> harassment(and possibly kick the **** out of him/her), and (b) stop them from
> popping up, ie disable them.

I hate that stuff too.

You need to get a firewall program (ZoneAlarm is good and free [http://www.zonealarm.com/]).  It should not only block them, but tell you where they are coming from.

You could also use a packet sniffer to find out the exact contents of the message, but if you can track it down to an IP, that should get you what you want.

This might also help you do what you want:
http://www.itc.virginia.edu/desktop/docs/messagepopup/

Hope That Helps,
Dex*
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aolXFTAuthor Commented:
Hmm

Looks like I need a packet sniffer.
0
aolXFTAuthor Commented:
any easier way?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

chicagoanCommented:
netstat -a
y not turn off messenger service?
and get a firewall?
0
DexstarCommented:
aolXFT:

To get the IP of the sender of the message, you'll need a packet sniffer.  netstat -y doesn't seem to help much.  If you just want to get rid of the messages forever, follow the directions in the link that I already posted.

Dex*
0
TooKoolKrisCommented:
The name of the computer that sends the NetSend message is in the message itself.

You don't need a sniffer if the computer is in the same domain as you just Tracert the computer name and it will resolve to the IP.
0
DexstarCommented:
Except Spammers have figured out how to exploit this service, so nowadays, 99 times out of 100, the sender is going to be off your local network, and you'll need a sniffer to find out their IP.

D*
0
TooKoolKrisCommented:
Doesn't sound like thats the case here. Says he's in college, probably some kid playing around on the network.
0
aolXFTAuthor Commented:
I think it is just some 'kid' playing around on the network, mostly trying to embarrase their friends. It just so happens that I find their games with each other extremely annoying when I'm trying to do stuff. This isn't spam sent to me by external users.

The messages are sent to "Workgroup", and the from is usually set to God, or a space.

If I had the IP Address, or name, or the computer I would be able to find them easly. What I don't have is admin access to the machine, or the rights to install software. If a packet sniffer was the only solution it would have to be a small one, that didn't need to be installed, ie run straight from the downloaded executable(bit like PuTTy).
0
DexstarCommented:
Well, without admin rights, you're out of luck.  You can't sniff packets at the TCP/IP level.  It requires a device driver to be installed.

If this is a computer in a lab, class, or library, then you need to ask an admin to disable the Messenger service (as outlined in the link I sent in my original response).

Dex*
0
juliancrawfordCommented:
What you could do is run a honeypot to catch the naughty one.
A honey put sets up a listening port that captures the incoming IP addresses.

First disable the NETBIOS so you can use the ports.
For NET SEND you will need to listen on port 139 (or 445 for win2k).

This link has many honeypots to try - free to use - nothing to install :)
http://www.astalavista.com/tools/intrusiondetection/misc/
0
Robing66066Commented:
You might be able to tell by checking your arp table.  (I tried this and it seems to work.)

Next time you get messaged, open a DOS prompt and issue the command:

arp -a

That will list all the entries in your arp table, including the entry for the person who is annoying you.

If you are on a closed network, there shouldn't be too many entries in the list.  You should be able to do an nslookup on each entry to find out what each device is, or call your help desk with the list of addresses and determine who did it.  It's certainly not as positive an ID as a sniffer would be, but it's cheap and easy.

Good luck!
0
Robing66066Commented:
(The arp entries you are looking for are IP addresses, not the physical address...)
0
DexstarCommented:
Robing:

That will work IF the message is coming from someone on the same subnet.  If it has to cross a gateway or a router, then the arp entry will only show the gateway or router.

Dex*
0
aolXFTAuthor Commented:
Robbing/Dexstar

I think they may be on the same subnet as me. I don't know too much about networks/subnets, but I believe everyone in the college uses the same subnet mask of 255.255.0.0, although I'm not too sure about this.

I just have to wait for a net send to come now. They aren't coming as much as they were yesterday.

I'll test Robings solution, and if it works I'll knock up the points, and accept Robbing solution as an answer, and a few other helpful comments as assisting. If not, well, we'll see
0
cincin77Commented:
check for the remote machine's name in the message.
then do a:
nbtstat -A machine_name

you can see the name of the user logged on on that machine.
0
ManuelGuerraCommented:
aolXFT,
If the sender can hide his/her name maybe also he can hide his IP, and only a good sniffer can help you. If you want only stop that messages then set to manual the messenger service, but you wont to recieve more messages for any one, neither from "good" people and "bad" people.

MG
0
aolXFTAuthor Commented:
"good" people don't send me net sends, so I don't think there is any problem with turning them off.

How do I set the messenger to manual?
0
TooKoolKrisCommented:
Right click on My Computer - Manage then expand Services & Applications then click on Services. Scroll through that list until you find Messenger. Double click on Messenger and change the startup type to manual.
0
chicagoanCommented:
>"good" people don't send me net sends, so I don't think there is any problem with turning them off.
pretty standard to turn it off - just go into services and disable it.
or block it at the border if you have network apps using it for alerts
0
xybxCommented:
Hey,

Install a firewall like Tiny, and set it to alert you on incoming connections. You will get the IP of the connecting computer.
0
DexstarCommented:
aolXFT:

The link I posted in my very first response has detailed instructions on disabling or setting the service to be manual:  http://www.itc.virginia.edu/desktop/docs/messagepopup/

Enjoy,
Dex*
0
TooKoolKrisCommented:
No need for a link,

Right click on My Computer - Manage then expand Services & Applications then click on Services. Scroll through that list until you find Messenger. Double click on Messenger and change the startup type to manual.
0
aolXFTAuthor Commented:
My privilages don't allow me to disable the messenger service, or install firewalls, or tracers, or anything like that.

It looks like there is no answer to my original question that I can use with my privilage level. I have found certain answers to be very enlightening, and educational.

I think it is time to close the question by accepting the most helpful comments.
0
aolXFTAuthor Commented:
Increasing points to 240 and awarding as follows:

For providing the most educational information, as well as the most possible solutions
Dex: 100

For providing educational possible solutions.
Robbing: 50
juliancrawford: 50

For providing useful/helpful information
TooKoolKris: 20
CinCin77: 20

I believe the above is allowed under EE rules. I'll award as outlined above, if nobody makes an objection in the meantime based on the EE rules.

Anotherwords, I think the above is okay, but I'm not sure, so I want to wait to make sure before I award.
0
DexstarCommented:
Looks good to me...

D*
0
Robing66066Commented:
Sounds fine with me, but most importantly, did you catch the bugger?
0
aolXFTAuthor Commented:
I haven't had any since, so no I didn't catch him, but at least I've learnt a lot of useful and helpful information from the answers to this question.

I know where to look however next time someone does start annoying me.

Thanks.
0
WillHudsonCommented:
Just for future reference, you could go to command prompt and type:
net stop messenger

this will stop the messenger service :)
0
aolXFTAuthor Commented:
Thanks Will, but Access is Denied,

they aparently don't like us stopping services.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.