IP address conflict

Hi

I have a rogue ip on my subnet but i cant find the device, when a member server boots up it gets an ip address conflict and i cant find the device which is conflicting, when i run angry ip scanner my out put gives me all the mac addresses but it doesnt list the offending ip anyone any ideas on how to find it bar plugging everything out of the switch?
nostrasystemsAsked:
Who is Participating?
 
sstone55423Connect With a Mentor Commented:
Well, if you don't want to go from computer to computer to check the MAC  (you can skip computers that show active leases in DHCP) the next step would be using nmap http://nmap.org/download.html
 
0
 
sstone55423Commented:
Well, try looking at your ARP table after pinging the IP address. (arp -a)  If you find the device, and it is the device that is "supposed" to have that IP, remove (turn off) that device, and then clear the ARP cache, and then ping the IP again, and check the arp table again.  This should give you the MAC address.  Then start checking each device until you find that MAC address.  (ipconfig /all windows)
0
 
nostrasystemsAuthor Commented:
i know the offending mac address already its in windows event viewer

so do i have to go to every device and cross reference the mac address?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
sstone55423Commented:
Yes, there is not an easier way.  The IP address associated with it doesn't help you, right?  The best shot you have is if you disable the IP on the known device (where it is supposed to be) and then let the offending device get its IP via DHCP from a windows server, and then check DHCP to see what the device name associated with the IP address assigned is.  If it is statically assigned, then that won't help, of course.
Another way is that after removing (tueing off, changing the IP) of the desired device, then try telnet to that IP, or web browse to that IP -- that can work if it is a printer, it will often respond.  You can also portscan the IP, or use a tool like p0f http://sectools.org/os-detectors.html to tell you more about the OS.
0
 
RowleyCommented:
You can find port in which the NIC with the offending mac address is plugged into by asking your network team to check the mac-address tables on the switches. If you are your own network team...well...you can get cracking!

:)
0
 
nostrasystemsAuthor Commented:
the are unmanaged 3com switches can i still access the tables
0
 
RowleyCommented:
You could also add something to your logon script to write out any relevant data you can from the system and mac address into a file(s), as well as checking any dynamic name services you might use for host names registered under the offending IP.

This will only work on the assumption that this host is using dynamic config network services such as DDNS, WINS, DHCP and/or processes logon scripts at boot.

you can also try nbtstat -A [ipaddress] if its a windows host to get its registered NetBIOS names if you can. Also try performing a port scan using nmap to see if there are any open ports you could tap into to help identify it.
0
 
RowleyCommented:
"the are unmanaged 3com switches can i still access the tables"

Depends if you can get onto the management addresses or connect in via the console for each switch. A simple serial cable and a teraterm/hypertrm session through a com port using a pc of sorts will get you local console access if you don't have management addresses configured.

For more info, consult the docs for your particular make/model of switch.
0
 
nostrasystemsAuthor Commented:
weird when i run an nbtstat with the server shut down it finds no other same ip device?
0
 
nostrasystemsAuthor Commented:
now i booted up the server again and its find the correct device on .x.x.x.2 ? no sign of the rouge device? could itr be an ip corruption on the server with ip x.x.x.2 ?
0
 
nostrasystemsAuthor Commented:
itr still gives ip address conflict when i boot that server?
0
 
sstone55423Commented:
Do you have more than on NIC enabled?  Check the MAC of the rogue against your serve NIC's.
0
 
nostrasystemsAuthor Commented:
i have two servers the first has two nics and the second one the problem has one nic all three dont match the offending mac address
0
 
sstone55423Commented:
When you turn off the NIC that has the good IP (or shut down the server) can you still ping the duplicated IP?  Does anything answer?
0
 
sstone55423Commented:
Hmm, if oyu have a different MAC address, then it has to be someplace.  Your environment is too large to search?
0
 
nostrasystemsAuthor Commented:
when i shut down the server and then ping x.x.x.2 nothing replys its like a phantom conflict?
0
 
nostrasystemsAuthor Commented:
my environment is a school with maybe 50 workstations and 2 servers
0
 
sstone55423Commented:
Clear the arp table, then ping, and then check.  No reply, but do you get an MAC from pinging the IP?
 
Can you just move the IP on the server to another IP?  I wonder if you would still get a conflict?
0
 
nostrasystemsAuthor Commented:
ok im getting some where i cleared the arp cache and now with the offending server off i can ping the rouge address x.x.x.2 but i can get a host name or mac address how can i get this? tried nslookup x.x.x.2 but unknown
0
 
nostrasystemsAuthor Commented:
i have also used angry ip scan and that finds something on x.x.x.2 but wont give netbios info or mac address
0
 
sstone55423Commented:
Look at the ARP table again for the MAC address.  Try to go to that IP via IE browser, and also try telnet x.x.x.2 from CMD prompt.
 
Also, see http://sectools.org/os-detectors.html
 
0
 
sstone55423Commented:
What ports do you find open on that IP?  (with Angry scanner)
0
 
nostrasystemsAuthor Commented:
angry scan only gives ttl 64 and ip everything else is n/a
0
 
nostrasystemsAuthor Commented:
ok i have the mac address its the same as the one in event viewer it says dynamic beside it does that mean something is being assigned x.x.x.2 by dhcp?
0
 
sstone55423Commented:
Coiuld be.  Go to your DHCP server and see if it assigned a computer name to that IP.
 
If so, what is your DHCP scope?  Does your DHCP scope include x.x.x.2?
0
 
nostrasystemsAuthor Commented:
just tried that its from 100 -> 199 so no lease has .2
0
 
nostrasystemsAuthor Commented:
i tried nmap but it doersnt tell me anything or am i missing something
0
 
nostrasystemsAuthor Commented:
sorry now know how to use nmap :) http://nmap.org/download.html

i got it it was a 3com wireless access point conflicting arghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

yahoooooooooooooooooooooooooo

:) thanks all
0
 
sstone55423Commented:
You are welcome!  Glad we could help you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.