Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unauthorized user. Need to track him down.

Posted on 2004-10-20
23
Medium Priority
?
354 Views
Last Modified: 2010-04-17
Ok, someone just plugged into my network at work with an unauthorized computer. I have his MAC.  problem is we have 3 switches and a core switch. Which one do I log in to and what command do I give to find the switchport he is on?
Thanks. This guy has been causing havoc. How do I find him?
Thanks
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 9
  • 4
  • +1
23 Comments
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12362508
Try this and if it's on the switch it should show you the port, you may also see the VLAN it's on.

office#sh Mac-address-table address 0004.0068.713c
Non-static Address Table:
Destination Address  Address Type  VLAN  Destination Port
-------------------  ------------  ----  --------------------
0004.0068.713c       Dynamic          1  FastEthernet0/46
office#
0
 

Author Comment

by:dissolved
ID: 12362701
Hi Dr-IP. I'm getting errors trying that . I'm doing a

Switch2ndfloor#    sh  00-0F-1F-16-D2-3A

Is that what you wanted me to do?
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12362856
On my switches I use

sh Mac-address-table address 0004.0068.713c
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 800 total points
ID: 12363021
dissolved,
Get the free 30day eval of SolarWinds Engineers toolkit and use the switchport mapper...
You'll find him in seconds....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12363028
forgot the link
http://www.solarwinds.net
0
 

Author Comment

by:dissolved
ID: 12363079
Thanks lrmoore, I downloaded it. Will use it tomorrow when I return to work! Gotta catch him

 Just curious Dr Ip, I'm confused.

sh mac-address-table address 0004.0068.713c

I'm assuming I put HIS mac address, in the "mac-address" place you specified. What do I put for table address? Also, what signifcance does the 0004.0068.713c have?

Thanks
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12363135
The 0004.0068.713c is an example for the mac address; use the same command except substitute the 0004.0068.713c with the mac address you are looking for.
0
 

Author Comment

by:dissolved
ID: 12363143
10-4
 Thanks for the patience with me :)
0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 400 total points
ID: 12364415
Cisco likes xxxx.xxxx.xxxx notation for MAC addresses.  Some of the equipment I use can't decide whether it prefers XXXXXX:XXXXXX or XX:XX:XX:XX:XX:XX from one command to the next.

The "sh mac-address-table" command shows this switch's table of what MAC addresses are on what port.  Adding "address <blah>" will show only that address, rather than the whole table (which could be pretty large).  The answer may be a port that connects to another switch -- if so, telnet to that switch and repeat.  Eventually, you'll get to a switch where the table points to a user port.

Another technique I like is to define a dynamic VLAN and assign his MAC address to it.  If you run VTP, he can move to any other jack, and he'll still wind up quarantined.  He will either slink away, or ask you why he can't connect any more.

0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12364995
Rigging it so they can never plug in that laptop again may be a good idea, but until I found out who it was I wouldn’t do anything likely to tip them off to the fact I know what they are doing, then I’d give it to them good.

Last time I caught someone with a laptop plugged into my network screwing with things, after I had figured out who it was, I fixed their wagon really good. I hacked that laptop so good, that after a month of trying to fix it they threw it away. Fact is when you really are the master of your network, anyone that comes and plays on your home turf is wide open for a myriad of exploits.

Also there is a lesson here, secure the inside of your network just as if it was directly exposed to the internet, because often the greatest treats of all are those that come from within.    
0
 

Author Comment

by:dissolved
ID: 12366161
Thanks Pengwyn. I'll keep that in mind when I attempt this command tomorrow.

Dr IP. That is great advice.  Thank you.
0
 

Author Comment

by:dissolved
ID: 12368672
the sh mac-address-table command is unrecognized. I'm trying this from the # prompt on a 2980G switch and 2948 switch. Any ideas?
Thanks
0
 

Author Comment

by:dissolved
ID: 12369870
lrmoore, i got the tool running.  I put in my switch's IP address and SNMP community string, it shows MAC addresses, interface etc. But does not show IP. Is this normal or is this a problem with the SNMP?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12369912
Put your router's IP and snmp string in the other side.
It takes a combination of MAC address from the switch and arp entry from the router to get the complete picture..
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12370016
The closest switch I have access to right now is a WS-C2924-XL with version 12.0(5)WC5a enterprise. Maybe your ISO is older, and uses a slightly diffrent command, try “show m?” and “show ip m?”, and see if it lists a similar command.
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12370123
Since they probable are using a DHCP address, an easy way to find it is to look on the DHCP servers list of reservations, and if you have used some standard for naming your computers on the network, their's should stand out like a sore thumb.
0
 

Author Comment

by:dissolved
ID: 12370215
Thanks guys.

lrmoore: Thanks, totally didnt use my brain on that one. Problem I have now is that we dont have access to the router. I only have access to the switches. I obtained the relevant SNMP info from the switch.
But I have no clue what the router is setup to use. I tried the same SNMP name with it's IP and I got an error
" 172.25.22.1 Does not reply to SNMP quries using  HMSSro"

Is there anyway to derive what SNMP name the router uses without having access to it? I guess its possible its not even configured with an SNMP public name (i'm still learning with the SNMP stuff btw)

Dr IP:You're right. He is in the address lease and does indeed stick out. He is offline at the moment, I'm waiting for him to come back on.  The switch I am using here is a 2980G which doenst appear to be running IOS. Maybe Cat0S?  The regular commands dont work on it.........

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12370590
If you don't know the snmp string of the router, you can try the SNMP Brute Force feature of SolarWinds toolkit.
Else, if you can telnet to it, you can "sho arp" and look for it manually..
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12370752
One thing you might want to do is open a command prompt on your computer and do a ping with the -t option so that when they connect again you hopefully will spot it right away.
0
 
LVL 13

Accepted Solution

by:
Dr-IP earned 800 total points
ID: 12372262
On my CAT OS switches the command is "sh cam XX-XX-XX-XX-XX-XX" the X's are for the MAC address. You can also do a "sh cam dynamic" and it will show you the ports each MAC address is being routed to.
0
 

Author Comment

by:dissolved
ID: 12372602
Ok that worked! Now we have 3 or 4 switches here. HOw do I figure out wich one he is on?


dhsscat2980_21 (enable) sh cam 00-08-74-FF-44-9F
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
22    00-08-74-ff-44-9f             3/33 [ALL]
Total Matching CAM Entries Displayed = 1
dhsscat2980_21 (enable)

0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12373148
Unless port 3/33 is plugged into another switch, I’d say that’s where they are.
0
 

Author Comment

by:dissolved
ID: 12373390
thanks!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question