How can I locate what device is claiming a static IP

I have a device on my network that is claiming a static ip address (probably assigned by some predecessor).  This address can be pinged but DOES NOT show up in the dns list.   How can I find the device?
LVL 1
gordonmannAsked:
Who is Participating?
 
AmericomConnect With a Mentor Commented:
You can probably have your switch guy to identify what IP maps with what MAC address that is associated it find out what switch/port to trace the actual physical patch to the box.

Also, not sure if the device is accessible, you can get some idea what it is by telnet, ftp, http, otherwise UNC, RDP etc.. If you have WINS, you can also lookup the database and see if it's there by sorting the IP.

Or if it's a windows machie with NetBIOS running, you can try at the command prompt from your PC, type NBTSTAT -A xxx.xxx.xxx.xxx, where the xxx... is the IP address. This can list the MAC address and Machine Names as well as the domain name it associated with.
0
 
JoWickermanCommented:
Hi gordonmann,

I guess you tried ping -a ipaddress?
0
 
gordonmannAuthor Commented:
I removed the one address I knew and changed it but I want to know what device is still on that ip.  So ping -a will not help in this instance.

Thanks
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
sdschaeferCommented:
You didn't specifiy how large the network is, but if it is not more then 30 - 50 devices here something you can try.  From a workstation (or laptop) that is close or that you can get close to the switch(s), ping the IP address with a trailing /t .  This will keep the ping going until canceled. Pull each of the cables out of the switch until the ping quits replying, then you willl know what port is accociated with the IP and hopefully have a jack map that can then resolve that to a device somewhere.
0
 
sdschaeferCommented:
Oh, one more thing if you don't have a jack map or such to help you figure out where this device is after you get it isolated at the switch another way to find it is to leave it unplugged.  You will hear about if it is anything important.
Always nice to have end users help in IT troubleshooting, even if they don't know they are.  :)
0
 
gordonmannAuthor Commented:
won't work for a national network of over 3000 devices
0
 
gordonmannAuthor Commented:
No wins and I already tried rdp, dameware, telenet and ssh and no connection returned but yet I can ping the address
0
 
gordonmannAuthor Commented:
I have also tried an IP scanner
0
 
gordonmannAuthor Commented:
And a network scanner
0
 
gordonmannAuthor Commented:
The only thing that can connect to this device is a web browser but it simply returns a totally blank page.

This is really aggravating.
0
 
gordonmannAuthor Commented:
This particular machine seems to have had the NIC replaced and when I review the IP info I am warned that the same address exist on another currently unavailable NIC on that machine.  How can I eliminate the redundant OLD NIC?
0
 
RowleyCommented:
You'll need to get the mac address of the host, then get your network team to check the mac address tables on the switches to find out what switch and port its plugged into. You can get its mac by using arp -a immediately after having established a connection.

Cisco kit the command is show mac-address-table.

I believe Americom pointed this out to you earlier. If you've port scanned the host and tried connecting in on all open ports to try and identify it, this is probably the quickest and easiest route, relatively speaking.
0
 
gordonmannAuthor Commented:
Here are my test results so far
Can FTP - found user name but can not guess password (based on user name it is either Unix or linux)
can use browser - blank page
can telenet blank login screen

IP Scanner nor network scanner shows anything but open ports and IP.  no MAC or NetBIOS or Host names are found.

Sorry I forgot to say,  I tried the nbtstat -a command earlier and returns "Host not found"
0
 
AmericomCommented:
You have a national network over 3000 devices, I'm sure you have a network team. Get them involve and have them find out the physical box by simply give the the IP.
0
 
RowleyConnect With a Mentor Commented:
if you can establish a tcp connection then you have the mac address. Example:

T:\>arp -a

Interface: 192.168.72.78 --- 0x2
  Internet Address      Physical Address      Type
  192.168.72.1          00-00-0c-07-ac-48     dynamic
  192.168.72.185        00-02-a5-e8-27-e3     dynamic

If you can get to it via http, maybe you could try http://x.x.x.x/server-info or /server-status, if its apache and the admin has configured it to handle those url's you might get some meaningful info. Your best bet is arming yourself with the MAC and speaking to your network admins.
0
 
gordonmannAuthor Commented:
LOL  I have but our infrastructure team is me and another person who is off today.  Most of those devices are laptops using VPN.  So basically I am on my own.  
0
 
RowleyCommented:
"You have a national network over 3000 devices, I'm sure you have a network team. Get them involve and have them find out the physical box by simply give the the IP."

Totally. You are wasting your own time and your companies money.
0
 
RowleyCommented:
"LOL  I have but our infrastructure team is me and another person who is off today.  Most of those devices are laptops using VPN.  So basically I am on my own. "

So start interrogating your switches already!
0
 
gordonmannAuthor Commented:
The only connection where I get a prompt is ftp.  All the others are blank with no prompts.
0
 
gordonmannAuthor Commented:
Thanks to all from my tests and your input I found and killed the rogue system.
0
 
RowleyCommented:
...care to share? How did you locate it?
0
 
gordonmannAuthor Commented:
Using a Network Scanner (NetworkView) on that IP it gave me an SMTP server name that was the primary AS400 system.  That did not make sense so I searched the change control logs and found that the IP had been used as part of a range for testing the Validation process on a server update and the test range was never used.  I then asked the manager about it who proceeded to turn beet red and removed the range.

0
 
RowleyCommented:
hahah...glad you sorted it.
0
 
gordonmannAuthor Commented:
thought I did this already
0
All Courses

From novice to tech pro — start learning today.