How to find mysterious network IP address 3

[dbMark]

My network is set up to use 172.16.nnn.nnn and the DHCP server assigns out addresses to a range of addresses dynamically.

For some reason one computer (Windows Me) wanted to always pick the same IP address, but there is a conflict there. I get a message that the IP address is already in use. I used IPCONFIG to release and renew, then I released it again and went to the DHCP server and deleted the entry there. Still same message.

Since I had added a 1gb NIC to the computer, I went into BIOS and turned off the built-in 100mb device. No change.

For now, I've added a "reservation" for that address so the workstation does get a different IP address. But how can I find out what is invisibly using that IP address? I can PING it, but no description is returned by TRACERT. My only guess is that someone gave a workstation a hard-coded IP address in this DHCP range, but how can I find it short of manually checking almost 100 computers? Naturally, I want to make sure it's an authorized computer...

Surely there must be some simple network scanning tool out there.Or can I narrow the location down to the connections on a particular switch?

(I also have a problem with this same computer regarding communication using WinPopUp technology where this user can send messages with a freeware program named winsent but only a few computers are accessible. It may be a question for another forum, but I mention it here in case it's related. I've done everything except reinstall Windows!)

 

[dbMark]

Oh yes, this workstation has one other problem too. It has a printer which is shared on the network. The XP Pro user has problems that he can print once or twice but later on, maybe a half hour later, can't print anymore to it without rebooting. Is something being lost over a period of time?

Thanks for any suggestions. (I give stars for solutions!)

dbMark

 

[criticalUpdate]

I would start with the built in utilities in your OS

for example ping the address then do an arp -a from the command line to get the Ethernet MAC address.

Use that address to look on one of websites that lists ethernet vendor codes and compare that to the mac address of the mysterious PC. what this should do is narrow the field for what type of Ethernet card maybe you'd get lucky and find out that it was a JetDirect or something which should be easy to locate.

Jeff

 

[GlenJohnson]

Also, try a pathping command and see where it goes.

Glen A. Johnson
"Fall seven times, stand up eight."
Proverb

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[dbMark]

GlenJohnson, pathping is great but I found out it works only in the NT family. I found and used it on my Windows 2000 computers, but a NT4 server didn't have it, so I don't know if could work on an NT. CrossNodes had a nice description of it's usage.

tektipster was right, you have to ping before arp. I used the ethernet vendor codes list to identify the unit's brand maker and that clue helped me deduce that it was an IP camera installed by someone else.

 

[FestusMcShamus]

ping -a (ipaddress) should show a hostname

 

[isokocons]

Use access-list to block that ip-address, so that all its traffics will be dropped.

The person will cry out, or even report him/herself to you in form of...my computer is no longer working.

Also. 'Ping -a n.n.n.n' will return the nebios name of the computer. 'arp -a' will tell you its mac address.

Thanks.

 

[Whoheard]

Once you get the MAC, depending whether or not you have smart switches, you should be able to find the MAC address in the switch's CAM table (cisco) and have it tell you what port or other switch it is on. Most every smart switch has a MAC table.


bob

I know what I know and that's all I know. What I don't know I'll find out.

 

[cdeardor]

Referring to the pathping command, on NT4 machines, the command equivalent to pathping is tracert. Type tracert hostname. If you want to try this on unix based systems, the command is spelled fully as traceroute.

 

[AnotherITguy]

---You may also want to use the NBTSTAT command on the ip address as this may give you the name of the logged on user:

nbtstat -A ip-address

Look at the entries preceeded by <03> , this should tell you who is logged on...

---You could also try to NET SEND to the box and have the user call your extention...

---You may also be able to map to the default root share on the box \\ipaddress\c$, and see what profiles have been created...

---Another thought, you could try to use the shutdown.exe utility from the resource kit. I would try it around 9:00 am so that your sure to have someone let you know that their computer is having an issue with rebooting... =)

---Since I'm on a roll, you could do a continuous ping to the address and then unplug each network jack for a second from the patch panel. When you see a break in the responses you know where the PC or whatever is plugged in. As long as you don't leave the cable unplugged for more than a few seconds you shouldn't get too many complaints... =0 Hopefully you have your network jacks documented so that you can look this up. I suppose you could put a toner on the line and walk around and "wipe" the cables at each user's station -yes it would be time intensive, but with 100 PCs it probably wouldn't take that long. Anyway...

HTH,


Jay