How do you find a duplicated MAC address (spoofing)?

In trying to figure out why our network traffic seems to be up, I've installed NTOP on one pc and put it off of a hub to monitor the traffic.  One of several things that NTOP reports on is duplicate MAC addresses.  Several of our pc's have been red flagged as high risk because NTOP found duplicate MAC addresses which might indicate spoofing.
 
If indeed something/someone is spoofing, how to I track this down?  How do I find out if it's really a MAC address being spoofed and then find the duplicate?
 
lloydr1lAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan Huseyin KayahanCommented:
         *Would they be the clients which have more than 1 NIC or any other network adapter?
          Also please have a look at this link
http://www.experts-exchange.com/Security/Software_Firewalls/Q_21926836.html?sfQueryTermInfo=1+find+mac+spoof+trace
0
lloydr1lAuthor Commented:
No, just the one.
0
Alan Huseyin KayahanCommented:
Macpaq tool should work for you.
http://amac.paqtool.com/reprogram.htm
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

lloydr1lAuthor Commented:
How would that help me find who is spoofing?
0
Alan Huseyin KayahanCommented:
              *When you run network detection, which lists mac addresses, spoofed MACs would be easily recognized if spoofer is not a prof.
                For ex
               00-50-FC-F7-27-FD is a normal MAC address at first look. Spoofers usually spoof to thing like following
               00-12-34-AB-CD-56 and this is a suspicious MAC.
             
             *For more details please check this link
http://en.wikipedia.org/wiki/IP_Traceback
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rick HobbsRETIREDCommented:
Are you minitoring networ, server, or Internet traffic or some combination?
Where is the hub.  use a line drawing.   like

network switch---------------hub------------Internet router
                         server____/   \______monitor PC
0
lloydr1lAuthor Commented:
Internet router---------Firewall--------hub-----------switch-----etc
                                                             \__monitor PC
0
Rick HobbsRETIREDCommented:
Are you trying to locate spoofed MAC addresses on your network or spoofed MAC addresses coming from the Internet?  If the Internet, what type of router are you using.  Hopefully Cisco.  If you are using Cisco to connect to the Internet, with the combination of CEF (Cisco Express Forwarding) and Netflow it should be fairly easy to determine what addresses are spoofed.
Check this article: http://www.cymru.com/Documents/tracking-spoofed.html
0
lloydr1lAuthor Commented:
On our LAN.  When I read results using NTOP, the program reports that MAC spoofing might be going on.  If it is, I'm not sure how to locate any local spoofing, or any spoofing for that matter.
0
Rick HobbsRETIREDCommented:
The best way would be to identify every machine by Name, Username, IP address, and MAC address.  If you can identify all the systems on your network and they have different MAC addresses, spoofing is probably NOT occurring.  Since the MAC address is only used in the initial connection to obtain an IP address, the only reason someone on your network would be spoofing would be to use someone else's IP address.  In all the yeas I have been working on networks, I have never seen that done.
0
lloydr1lAuthor Commented:
Works for me, but I'll give them the points.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.