Solved

How can I locate what device is claiming a static IP

Posted on 2008-10-03
24
241 Views
Last Modified: 2012-05-05
I have a device on my network that is claiming a static ip address (probably assigned by some predecessor).  This address can be pinged but DOES NOT show up in the dns list.   How can I find the device?
0
Comment
Question by:gordonmann
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 6
  • 2
  • +2
24 Comments
 
LVL 16

Expert Comment

by:JoWickerman
ID: 22633254
Hi gordonmann,

I guess you tried ping -a ipaddress?
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22633336
I removed the one address I knew and changed it but I want to know what device is still on that ip.  So ping -a will not help in this instance.

Thanks
0
 
LVL 5

Expert Comment

by:sdschaefer
ID: 22633358
You didn't specifiy how large the network is, but if it is not more then 30 - 50 devices here something you can try.  From a workstation (or laptop) that is close or that you can get close to the switch(s), ping the IP address with a trailing /t .  This will keep the ping going until canceled. Pull each of the cables out of the switch until the ping quits replying, then you willl know what port is accociated with the IP and hopefully have a jack map that can then resolve that to a device somewhere.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 5

Expert Comment

by:sdschaefer
ID: 22633388
Oh, one more thing if you don't have a jack map or such to help you figure out where this device is after you get it isolated at the switch another way to find it is to leave it unplugged.  You will hear about if it is anything important.
Always nice to have end users help in IT troubleshooting, even if they don't know they are.  :)
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22633433
won't work for a national network of over 3000 devices
0
 
LVL 18

Accepted Solution

by:
Americom earned 250 total points
ID: 22633485
You can probably have your switch guy to identify what IP maps with what MAC address that is associated it find out what switch/port to trace the actual physical patch to the box.

Also, not sure if the device is accessible, you can get some idea what it is by telnet, ftp, http, otherwise UNC, RDP etc.. If you have WINS, you can also lookup the database and see if it's there by sorting the IP.

Or if it's a windows machie with NetBIOS running, you can try at the command prompt from your PC, type NBTSTAT -A xxx.xxx.xxx.xxx, where the xxx... is the IP address. This can list the MAC address and Machine Names as well as the domain name it associated with.
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22633611
No wins and I already tried rdp, dameware, telenet and ssh and no connection returned but yet I can ping the address
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22633632
I have also tried an IP scanner
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22633738
And a network scanner
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22633773
The only thing that can connect to this device is a web browser but it simply returns a totally blank page.

This is really aggravating.
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22633837
This particular machine seems to have had the NIC replaced and when I review the IP info I am warned that the same address exist on another currently unavailable NIC on that machine.  How can I eliminate the redundant OLD NIC?
0
 
LVL 13

Expert Comment

by:Rowley
ID: 22633959
You'll need to get the mac address of the host, then get your network team to check the mac address tables on the switches to find out what switch and port its plugged into. You can get its mac by using arp -a immediately after having established a connection.

Cisco kit the command is show mac-address-table.

I believe Americom pointed this out to you earlier. If you've port scanned the host and tried connecting in on all open ports to try and identify it, this is probably the quickest and easiest route, relatively speaking.
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22634178
Here are my test results so far
Can FTP - found user name but can not guess password (based on user name it is either Unix or linux)
can use browser - blank page
can telenet blank login screen

IP Scanner nor network scanner shows anything but open ports and IP.  no MAC or NetBIOS or Host names are found.

Sorry I forgot to say,  I tried the nbtstat -a command earlier and returns "Host not found"
0
 
LVL 18

Expert Comment

by:Americom
ID: 22634267
You have a national network over 3000 devices, I'm sure you have a network team. Get them involve and have them find out the physical box by simply give the the IP.
0
 
LVL 13

Assisted Solution

by:Rowley
Rowley earned 250 total points
ID: 22634312
if you can establish a tcp connection then you have the mac address. Example:

T:\>arp -a

Interface: 192.168.72.78 --- 0x2
  Internet Address      Physical Address      Type
  192.168.72.1          00-00-0c-07-ac-48     dynamic
  192.168.72.185        00-02-a5-e8-27-e3     dynamic

If you can get to it via http, maybe you could try http://x.x.x.x/server-info or /server-status, if its apache and the admin has configured it to handle those url's you might get some meaningful info. Your best bet is arming yourself with the MAC and speaking to your network admins.
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22634318
LOL  I have but our infrastructure team is me and another person who is off today.  Most of those devices are laptops using VPN.  So basically I am on my own.  
0
 
LVL 13

Expert Comment

by:Rowley
ID: 22634326
"You have a national network over 3000 devices, I'm sure you have a network team. Get them involve and have them find out the physical box by simply give the the IP."

Totally. You are wasting your own time and your companies money.
0
 
LVL 13

Expert Comment

by:Rowley
ID: 22634339
"LOL  I have but our infrastructure team is me and another person who is off today.  Most of those devices are laptops using VPN.  So basically I am on my own. "

So start interrogating your switches already!
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22634349
The only connection where I get a prompt is ftp.  All the others are blank with no prompts.
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22634545
Thanks to all from my tests and your input I found and killed the rogue system.
0
 
LVL 13

Expert Comment

by:Rowley
ID: 22636863
...care to share? How did you locate it?
0
 
LVL 1

Author Comment

by:gordonmann
ID: 22637181
Using a Network Scanner (NetworkView) on that IP it gave me an SMTP server name that was the primary AS400 system.  That did not make sense so I searched the change control logs and found that the IP had been used as part of a range for testing the Validation process on a server update and the test range was never used.  I then asked the manager about it who proceeded to turn beet red and removed the range.

0
 
LVL 13

Expert Comment

by:Rowley
ID: 22638147
hahah...glad you sorted it.
0
 
LVL 1

Author Closing Comment

by:gordonmann
ID: 31502728
thought I did this already
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question