lloydr1l
asked on
How do you find a duplicated MAC address (spoofing)?
In trying to figure out why our network traffic seems to be up, I've installed NTOP on one pc and put it off of a hub to monitor the traffic. One of several things that NTOP reports on is duplicate MAC addresses. Several of our pc's have been red flagged as high risk because NTOP found duplicate MAC addresses which might indicate spoofing.
If indeed something/someone is spoofing, how to I track this down? How do I find out if it's really a MAC address being spoofed and then find the duplicate?
If indeed something/someone is spoofing, how to I track this down? How do I find out if it's really a MAC address being spoofed and then find the duplicate?
ASKER
No, just the one.
Macpaq tool should work for you.
http://amac.paqtool.com/reprogram.htm
http://amac.paqtool.com/reprogram.htm
ASKER
How would that help me find who is spoofing?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you minitoring networ, server, or Internet traffic or some combination?
Where is the hub. use a line drawing. like
network switch---------------hub-- ---------- Internet router
server____/ \______monitor PC
Where is the hub. use a line drawing. like
network switch---------------hub--
server____/ \______monitor PC
ASKER
Internet router---------Firewall--- -----hub-- ---------s witch----- etc
\__monitor PC
\__monitor PC
Are you trying to locate spoofed MAC addresses on your network or spoofed MAC addresses coming from the Internet? If the Internet, what type of router are you using. Hopefully Cisco. If you are using Cisco to connect to the Internet, with the combination of CEF (Cisco Express Forwarding) and Netflow it should be fairly easy to determine what addresses are spoofed.
Check this article: http://www.cymru.com/Documents/tracking-spoofed.html
Check this article: http://www.cymru.com/Documents/tracking-spoofed.html
ASKER
On our LAN. When I read results using NTOP, the program reports that MAC spoofing might be going on. If it is, I'm not sure how to locate any local spoofing, or any spoofing for that matter.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Works for me, but I'll give them the points.
Also please have a look at this link
https://www.experts-exchange.com/questions/21926836/Network-throws-up-MAC-spoofing-warning-on-one-PC-How-can-I-trace-the-root-cause-and-fix-the-problem.html?sfQueryTermInfo=1+find+mac+spoof+trace