Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Rogue computer on flat network

Status
Not open for further replies.
dandy34

dandy34

MIS
Joined
Nov 11, 2005
Messages
50
Location
US
My LAN is composed of a mixture of 2950 and 3750 switches with no VLANs active. Somebody has connected a private computer to the network and I can't find it. I've looked at the ARP logs for all of the switches as well as SHO MAC ADD and can't locate the bugger. He's broadcasting constantly and generally being a pain in the side.
Anyone know a command I can use to block his MAC? We're using DHCP so blocking the IP address does little.
 
Sort by date Sort by votes
If you know his mac address then from your switch issue the "show mac-address-table" and it will tell you what port of the switch he is on....then should be able to run it down from there. A show arp from the switch may not be revealing try a show arp from your router.
Couple of things you can do but will be a little time consuming but when setup network will be secure. Setup port security on active ports and assign the mac-address to each port and a max of 1 per port. That way if someone tries using a hub the port will see two mac addresses coming into it and depending on the security setting you choose will shut it down and notify you. Also need to identify those ports not in use and shut them down.
 
Upvote 0 Downvote
You could try the following and see what response you get. If you know his IP address issue the following from command prompt:
shutdown /s /m \\XXX.XXX.XXX.XXX /f /t: 240 /c "Report to the IT department immediately"

command is case sensative....if suspect does not have firewall then his PC will shutdown with whatever message you want to send.
 
Upvote 0 Downvote
How do you know he is broadcasting ? If he is constantly broadcasting you could try looking at a few clients and at the DOS prompt do a arp -a and see if one particular address and mac show up and thats probably your bad guy , then you can trace him down thru the switch mac tables. If all else fails you could download a free network analyzer and see who he is .
 
Upvote 0 Downvote
Thanks for the feedback, I know the computers hotname, MAC, and IP. I just can't find him physically.
Doing an ARP MAC ADD on the switches shows his MAC has hit all of them even moments after clearing the tables.
I'm using Ehtereal to analyze him and can see that he's sending ARP requests to IP addresses all of the time, looks like a port scan but it's an "ARP scan."
I work in a 250,000 sq ft factory with lots of old network drops and hiding places.
I tried the remote shutdown but I can't make that work on one of MY machines.
Sam
 
Upvote 0 Downvote
He is on all of the switches because they are probably all connected. There should be one switch with that Mac address on a port all by itself. Uplink ports will show Macs of all those passing through it. Also consider that it may not be a PC and may be a wireless access point, IP printer, or some other network device that someone has installed on your network.
 
Upvote 0 Downvote
Blocking the Mac is easy, in a twisted sense. You are DHCP right? So set up a reservation with that MAC address and a dummy IP that wont be routed or recongized. If you really wanted to be clever, assign an IP that is configured on the router to go to null. So any of his traffic just goes to the bit bucket while you track his sorry butt down [cannon]

MikeS

Home of the book "Network Security Using Linux"
 
Upvote 0 Downvote
Thanks for the help, I think the DHCP reservation is my best bet. We have a leased router and access to it is very limited so I have to stick to other ways of kicking users.
I'll post to this if I ever find the guy.
Thanks
Sam
 
Upvote 0 Downvote
If you know the mac address and can log into the switches. run the command:

show mac address-table | include XXXX

were XXXX is the last four digits of the mac address.
It will tell you the specific port. Piping it to include only that mac will help you from looking for a number of interfaces. If it takes you to anouther switch just keep following the trail. This is a user based command no privss necessary.

This may help you find the guy. Otherwise he will just get a new nic and get back on your network.
 
Upvote 0 Downvote
That got him. I was able to use Network Assistant in topology view to track him across the network and took immense pleasure in turning off the port. Instead of tracking him from the patch panel I'm going to wait a little while to see if womeone comes to me about it.
Thanks for all your help.

Sam
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
523
DavetheChef
DavetheChef
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
575
Luzbel
Luzbel
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
558
CPM86
CPM86
testman1
  • Locked
  • Question Question
SIP telephone ring on second call
Replies
0
Views
443
testman1
testman1
stanlyn
  • Locked
  • Question Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
650
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top