[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Trace Net Send

Posted on 2003-11-18
30
Medium Priority
?
6,192 Views
Last Modified: 2008-03-10
Hi

Could someone tell me how to trace a "net send"?

I'm in college and some ***** keeps sending me net sends.

I'd like to be able to (a) trace them, so I can report the sender for harassment(and possibly kick the **** out of him/her), and (b) stop them from popping up, ie disable them.

Any suggestions
0
Comment
Question by:aolXFT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 4
  • +7
30 Comments
 
LVL 19

Accepted Solution

by:
Dexstar earned 300 total points
ID: 9772983
aolXFT:

> I'd like to be able to (a) trace them, so I can report the sender for
> harassment(and possibly kick the **** out of him/her), and (b) stop them from
> popping up, ie disable them.

I hate that stuff too.

You need to get a firewall program (ZoneAlarm is good and free [http://www.zonealarm.com/]).  It should not only block them, but tell you where they are coming from.

You could also use a packet sniffer to find out the exact contents of the message, but if you can track it down to an IP, that should get you what you want.

This might also help you do what you want:
http://www.itc.virginia.edu/desktop/docs/messagepopup/

Hope That Helps,
Dex*
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773061
Hmm

Looks like I need a packet sniffer.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773065
any easier way?
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 18

Expert Comment

by:chicagoan
ID: 9773282
netstat -a
y not turn off messenger service?
and get a firewall?
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773438
aolXFT:

To get the IP of the sender of the message, you'll need a packet sniffer.  netstat -y doesn't seem to help much.  If you just want to get rid of the messages forever, follow the directions in the link that I already posted.

Dex*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9773512
The name of the computer that sends the NetSend message is in the message itself.

You don't need a sniffer if the computer is in the same domain as you just Tracert the computer name and it will resolve to the IP.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773531
Except Spammers have figured out how to exploit this service, so nowadays, 99 times out of 100, the sender is going to be off your local network, and you'll need a sniffer to find out their IP.

D*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9773569
Doesn't sound like thats the case here. Says he's in college, probably some kid playing around on the network.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9773812
I think it is just some 'kid' playing around on the network, mostly trying to embarrase their friends. It just so happens that I find their games with each other extremely annoying when I'm trying to do stuff. This isn't spam sent to me by external users.

The messages are sent to "Workgroup", and the from is usually set to God, or a space.

If I had the IP Address, or name, or the computer I would be able to find them easly. What I don't have is admin access to the machine, or the rights to install software. If a packet sniffer was the only solution it would have to be a small one, that didn't need to be installed, ie run straight from the downloaded executable(bit like PuTTy).
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9773969
Well, without admin rights, you're out of luck.  You can't sniff packets at the TCP/IP level.  It requires a device driver to be installed.

If this is a computer in a lab, class, or library, then you need to ask an admin to disable the Messenger service (as outlined in the link I sent in my original response).

Dex*
0
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 150 total points
ID: 9775746
What you could do is run a honeypot to catch the naughty one.
A honey put sets up a listening port that captures the incoming IP addresses.

First disable the NETBIOS so you can use the ports.
For NET SEND you will need to listen on port 139 (or 445 for win2k).

This link has many honeypots to try - free to use - nothing to install :)
http://www.astalavista.com/tools/intrusiondetection/misc/
0
 
LVL 7

Assisted Solution

by:Robing66066
Robing66066 earned 150 total points
ID: 9775753
You might be able to tell by checking your arp table.  (I tried this and it seems to work.)

Next time you get messaged, open a DOS prompt and issue the command:

arp -a

That will list all the entries in your arp table, including the entry for the person who is annoying you.

If you are on a closed network, there shouldn't be too many entries in the list.  You should be able to do an nslookup on each entry to find out what each device is, or call your help desk with the list of addresses and determine who did it.  It's certainly not as positive an ID as a sniffer would be, but it's cheap and easy.

Good luck!
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9775764
(The arp entries you are looking for are IP addresses, not the physical address...)
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9781641
Robing:

That will work IF the message is coming from someone on the same subnet.  If it has to cross a gateway or a router, then the arp entry will only show the gateway or router.

Dex*
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9781862
Robbing/Dexstar

I think they may be on the same subnet as me. I don't know too much about networks/subnets, but I believe everyone in the college uses the same subnet mask of 255.255.0.0, although I'm not too sure about this.

I just have to wait for a net send to come now. They aren't coming as much as they were yesterday.

I'll test Robings solution, and if it works I'll knock up the points, and accept Robbing solution as an answer, and a few other helpful comments as assisting. If not, well, we'll see
0
 
LVL 3

Assisted Solution

by:cincin77
cincin77 earned 60 total points
ID: 9787686
check for the remote machine's name in the message.
then do a:
nbtstat -A machine_name

you can see the name of the user logged on on that machine.
0
 
LVL 3

Expert Comment

by:ManuelGuerra
ID: 9800661
aolXFT,
If the sender can hide his/her name maybe also he can hide his IP, and only a good sniffer can help you. If you want only stop that messages then set to manual the messenger service, but you wont to recieve more messages for any one, neither from "good" people and "bad" people.

MG
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9805830
"good" people don't send me net sends, so I don't think there is any problem with turning them off.

How do I set the messenger to manual?
0
 
LVL 9

Assisted Solution

by:TooKoolKris
TooKoolKris earned 60 total points
ID: 9806833
Right click on My Computer - Manage then expand Services & Applications then click on Services. Scroll through that list until you find Messenger. Double click on Messenger and change the startup type to manual.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9806884
>"good" people don't send me net sends, so I don't think there is any problem with turning them off.
pretty standard to turn it off - just go into services and disable it.
or block it at the border if you have network apps using it for alerts
0
 
LVL 2

Expert Comment

by:xybx
ID: 9814401
Hey,

Install a firewall like Tiny, and set it to alert you on incoming connections. You will get the IP of the connecting computer.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9819231
aolXFT:

The link I posted in my very first response has detailed instructions on disabling or setting the service to be manual:  http://www.itc.virginia.edu/desktop/docs/messagepopup/

Enjoy,
Dex*
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9819891
No need for a link,

Right click on My Computer - Manage then expand Services & Applications then click on Services. Scroll through that list until you find Messenger. Double click on Messenger and change the startup type to manual.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9821679
My privilages don't allow me to disable the messenger service, or install firewalls, or tracers, or anything like that.

It looks like there is no answer to my original question that I can use with my privilage level. I have found certain answers to be very enlightening, and educational.

I think it is time to close the question by accepting the most helpful comments.
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9821756
Increasing points to 240 and awarding as follows:

For providing the most educational information, as well as the most possible solutions
Dex: 100

For providing educational possible solutions.
Robbing: 50
juliancrawford: 50

For providing useful/helpful information
TooKoolKris: 20
CinCin77: 20

I believe the above is allowed under EE rules. I'll award as outlined above, if nobody makes an objection in the meantime based on the EE rules.

Anotherwords, I think the above is okay, but I'm not sure, so I want to wait to make sure before I award.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9821796
Looks good to me...

D*
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9825939
Sounds fine with me, but most importantly, did you catch the bugger?
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9826004
I haven't had any since, so no I didn't catch him, but at least I've learnt a lot of useful and helpful information from the answers to this question.

I know where to look however next time someone does start annoying me.

Thanks.
0
 
LVL 13

Expert Comment

by:WillHudson
ID: 9832406
Just for future reference, you could go to command prompt and type:
net stop messenger

this will stop the messenger service :)
0
 
LVL 6

Author Comment

by:aolXFT
ID: 9832655
Thanks Will, but Access is Denied,

they aparently don't like us stopping services.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question