Un-authorized local IP addresses showing on the network

r_yague
r_yague used Ask the Experts™
on
When I do an IPSCAN on our network in the office, there's a bunch of alive ip addresses in the network.  How can I figure which computers or devices these are.  I would like to kick them out of their connection for now while trying to figure this out.  What is a better way to deal with this issue.  Has someone able crack our network?  Please advice.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Use tracert or nslookup to determine the netbios name. This may help to identify the source of the IP.
Remember printers, print servers, some switches, and other network aware hardware can be using IP addresses.
Top Expert 2006
Commented:
Use this from command prompt

nbtstat -A IP_ADDRESS.

This will tell you the computer name. Look for entry for number 20.
Commented:
you can use an eval version of solarwind to do that for you. it has the ip scan tool that gives you details about every ip. you can scan a range of ips or subnet. you can use other free tools to do that for you as well.
here is the link: http://support.solarwinds.net/Help/IP-Network-Browser/Overview.htm
http://www.gfi.com/languard/ - one of my clients really likes it.

Of course, the ARP command should reveal if you're dealing with a single host or many (arp spoofs notwithstanding)

Cheers,
-Jon
use command prompt --

ipconfig /all

That should show you all IPs on the network.

Also go into the router or switch at the root IP address (192.168.0.1 ???) and check STATUS -- it will show all computers connected, their IP addresses, and their MAC addresses correlated to name, and that will give you a complete display.  Print it out, for reference, the IP numbers dont often change.
>use command prompt --
>
>ipconfig /all

scrathcyboy, you forgot to mention that you have to run this command on *every* machine on the network, which may not be feasible...

>Also go into the router or switch at the root IP address (192.168.0.1 ???) and check STATUS -- it will show
>all computers connected, their IP addresses, and their MAC addresses correlated to name,
>and that will give you a complete display

Ridiculous.  This will work a very small fraction of the time, but not most.  Neither my own router or managed switch conform to your advice...  How can you even suggest that this will work in most cases?

I could comment more on what appears to be your habit of just firing off wildly inaccurate advice, but this is not the place.

Cheers,
-Jon
Top Expert 2004
Commented:
r_vague, what kind of gear are you running?  If you have manageable equipment, you might be able to look in your forwarding tables and ARP tables to pinpoint there those IP's are physically connected and then shutdown their port and wait for the phone to ring.

Author

Commented:
I just remembered that we installed VOIP telephone units.  Do you think these unknown IPs are the telephone adapters that came with each phone?  If so, how can I check which adapter belongs to which IP address.  
Top Expert 2004

Commented:
>> If so, how can I check which adapter belongs to which IP address.  

As we have said, you would check your ARP and Forwarding Tables.  Then, the MAC should be on the bottom of the phone - on a label or something.
Top Expert 2006

Commented:
Yes, these new IP can be assigned to these VOIP phones.

You can goto to DHCP management console. Note down the MAC address from the lease list.

Then you can match these MAC address with the VOIP phones to be sure of it.

Author

Commented:
DHCP is provided by the router/firewall and not the server.  So I checked the router DHCP and they were the VOIP phones (I checked the MAC addresses of the phone adapters). But there are still about 12 more (IP's and corresponding MAC addresses) that I am not sure what they are.  Now I want to know if there's a way to find out what kind of devices specific MAC addresses are, like they all start with 00:11:11......and so on.

Author

Commented:
Correction,  the mac addresses all start with 00:11.....and so on.

Commented:
from the router firewall, issue the command: sh arp
and see the matching ip to mac
Keith AlabasterEnterprise Architect
Top Expert 2008
Commented:
The MAC addresses do not denote their use. Some manufacturers bought blocks of MAC addresses for future use which is why 3COM, for example, all used to have the same first 6 bytes for example as did Intel.
ping IP
then do
arp -a

or use www.angryziber.com/ipscan
add MAC address in options
Your deployment of VOIP phones or IP phones isn't quite kosher if they are grabbing DHCP from your regular network.  Usually they are vlan'd off on another network, this other subnet has strict QOS assignments on the network/routers
Top Expert 2006

Commented:
Just one more way to be sure.

Assign one of these IP address to another machine.(Static IP).

Then it would prompt you an IP conflict. It will also prompt on the other end that an IP conflict has occured.

User will report to you and you can easily find the device.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial