Windows XP domain client quering for non-existent netbios name

Posted on 2009-02-24
Medium Priority
Last Modified: 2012-05-06
Windows XP clients are causing unnecessary broadcast traffic by quering for a name that does not exist anymore. This problem was found when scanning network traffic with Microsoft Network Monitor 3.2.

The address is IM.xx.xx.xx (domain bits removed). This used to be a host record for a Debian Linux that had Openfire (jabber server) installed. Now this machine has been removed and Openfire is now running on Windows 2003 server that has host record EIM.xx.xx.xx (using Windows server dns). Clients still have Spark installed and is works like a charm.

I know that Spark is not searching for old address because in network monitor software I can see netbios queries (nbtns) even if Spark is not running.

What is causing these broadcast messages? I have ran "ipconfig /flushdns", "nbtstat -R" and "nbtstat -RR".
Question by:cdenter
  • 2

Assisted Solution

Syedm2 earned 80 total points
ID: 23721681
Check with host files on one workstation
Check the DNS Host A record if there are residual entries.
Run ipconfig /registerdns after ipconfig /flushdns.    

Author Comment

ID: 23731461
Hosts file is unmodified. Only one line with address (loopback). ipconfig didn't help. I search registry for im's fqdn and did not find anything. I also searched with im's former ip address and came up with nothing. ARP table does not have anything helpful.

I Did some more network monitoring and the client follows normal name resolution procedures. First asks WINS servers (2 x windows 2003) for that name. WINS responds with "requested name does not exist". After that client start to send broadcast messages. 3 message in a row (default defined in Windows registry) and continues to do this for some time and at some point asks again from WINS servers.

Microsoft Network Monitor 3.2 cannot isolate the process that is causing this traffic. It would help a lot if I new what program is sending these requests. Any help would be appreciated.

Accepted Solution

cdenter earned 0 total points
ID: 23814249
Problem solved. While scanning only one client machine's network traffic I started to shutdown services from that machine and kept an eye on the network monitor. Broadcast messages stopped suddenly when I stopped antivirus programs management agent service. One old firewall rule which allowed traffic to im.xx.xx.xx address was still enable.

What made this problem a little harder to find was the fact that Microsoft Network Monitor (3.2) was not able to show any information of the process that was sending these broadcast messages.

Tools used to solve problem: Microsoft Network Monitor 3.2 and Sysinternals Process Explorer (11.33)


Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month16 days, left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question