Solved

How do you find a duplicated MAC address (spoofing)?

Posted on 2007-04-06
12
1,031 Views
Last Modified: 2012-06-27
In trying to figure out why our network traffic seems to be up, I've installed NTOP on one pc and put it off of a hub to monitor the traffic.  One of several things that NTOP reports on is duplicate MAC addresses.  Several of our pc's have been red flagged as high risk because NTOP found duplicate MAC addresses which might indicate spoofing.
 
If indeed something/someone is spoofing, how to I track this down?  How do I find out if it's really a MAC address being spoofed and then find the duplicate?
 
0
Comment
Question by:lloydr1l
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
12 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18864267
         *Would they be the clients which have more than 1 NIC or any other network adapter?
          Also please have a look at this link
http://www.experts-exchange.com/Security/Software_Firewalls/Q_21926836.html?sfQueryTermInfo=1+find+mac+spoof+trace
0
 

Author Comment

by:lloydr1l
ID: 18864291
No, just the one.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18864788
Macpaq tool should work for you.
http://amac.paqtool.com/reprogram.htm
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:lloydr1l
ID: 18864815
How would that help me find who is spoofing?
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 250 total points
ID: 18867855
              *When you run network detection, which lists mac addresses, spoofed MACs would be easily recognized if spoofer is not a prof.
                For ex
               00-50-FC-F7-27-FD is a normal MAC address at first look. Spoofers usually spoof to thing like following
               00-12-34-AB-CD-56 and this is a suspicious MAC.
             
             *For more details please check this link
http://en.wikipedia.org/wiki/IP_Traceback
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 18873915
Are you minitoring networ, server, or Internet traffic or some combination?
Where is the hub.  use a line drawing.   like

network switch---------------hub------------Internet router
                         server____/   \______monitor PC
0
 

Author Comment

by:lloydr1l
ID: 18876174
Internet router---------Firewall--------hub-----------switch-----etc
                                                             \__monitor PC
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 18876670
Are you trying to locate spoofed MAC addresses on your network or spoofed MAC addresses coming from the Internet?  If the Internet, what type of router are you using.  Hopefully Cisco.  If you are using Cisco to connect to the Internet, with the combination of CEF (Cisco Express Forwarding) and Netflow it should be fairly easy to determine what addresses are spoofed.
Check this article: http://www.cymru.com/Documents/tracking-spoofed.html
0
 

Author Comment

by:lloydr1l
ID: 18877082
On our LAN.  When I read results using NTOP, the program reports that MAC spoofing might be going on.  If it is, I'm not sure how to locate any local spoofing, or any spoofing for that matter.
0
 
LVL 22

Assisted Solution

by:Rick Hobbs
Rick Hobbs earned 250 total points
ID: 18877375
The best way would be to identify every machine by Name, Username, IP address, and MAC address.  If you can identify all the systems on your network and they have different MAC addresses, spoofing is probably NOT occurring.  Since the MAC address is only used in the initial connection to obtain an IP address, the only reason someone on your network would be spoofing would be to use someone else's IP address.  In all the yeas I have been working on networks, I have never seen that done.
0
 

Author Comment

by:lloydr1l
ID: 19261605
Works for me, but I'll give them the points.  
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question