Solved

IP address conflict

Posted on 2008-10-07
29
369 Views
Last Modified: 2010-04-02
Hi

I have a rogue ip on my subnet but i cant find the device, when a member server boots up it gets an ip address conflict and i cant find the device which is conflicting, when i run angry ip scanner my out put gives me all the mac addresses but it doesnt list the offending ip anyone any ideas on how to find it bar plugging everything out of the switch?
0
Comment
Question by:nostrasystems
  • 15
  • 11
  • 3
29 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 22658297
Well, try looking at your ARP table after pinging the IP address. (arp -a)  If you find the device, and it is the device that is "supposed" to have that IP, remove (turn off) that device, and then clear the ARP cache, and then ping the IP again, and check the arp table again.  This should give you the MAC address.  Then start checking each device until you find that MAC address.  (ipconfig /all windows)
0
 

Author Comment

by:nostrasystems
ID: 22658311
i know the offending mac address already its in windows event viewer

so do i have to go to every device and cross reference the mac address?
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22658427
Yes, there is not an easier way.  The IP address associated with it doesn't help you, right?  The best shot you have is if you disable the IP on the known device (where it is supposed to be) and then let the offending device get its IP via DHCP from a windows server, and then check DHCP to see what the device name associated with the IP address assigned is.  If it is statically assigned, then that won't help, of course.
Another way is that after removing (tueing off, changing the IP) of the desired device, then try telnet to that IP, or web browse to that IP -- that can work if it is a printer, it will often respond.  You can also portscan the IP, or use a tool like p0f http://sectools.org/os-detectors.html to tell you more about the OS.
0
 
LVL 13

Expert Comment

by:Rowley
ID: 22658965
You can find port in which the NIC with the offending mac address is plugged into by asking your network team to check the mac-address tables on the switches. If you are your own network team...well...you can get cracking!

:)
0
 

Author Comment

by:nostrasystems
ID: 22659034
the are unmanaged 3com switches can i still access the tables
0
 
LVL 13

Expert Comment

by:Rowley
ID: 22659042
You could also add something to your logon script to write out any relevant data you can from the system and mac address into a file(s), as well as checking any dynamic name services you might use for host names registered under the offending IP.

This will only work on the assumption that this host is using dynamic config network services such as DDNS, WINS, DHCP and/or processes logon scripts at boot.

you can also try nbtstat -A [ipaddress] if its a windows host to get its registered NetBIOS names if you can. Also try performing a port scan using nmap to see if there are any open ports you could tap into to help identify it.
0
 
LVL 13

Expert Comment

by:Rowley
ID: 22659091
"the are unmanaged 3com switches can i still access the tables"

Depends if you can get onto the management addresses or connect in via the console for each switch. A simple serial cable and a teraterm/hypertrm session through a com port using a pc of sorts will get you local console access if you don't have management addresses configured.

For more info, consult the docs for your particular make/model of switch.
0
 

Author Comment

by:nostrasystems
ID: 22659139
weird when i run an nbtstat with the server shut down it finds no other same ip device?
0
 

Author Comment

by:nostrasystems
ID: 22659171
now i booted up the server again and its find the correct device on .x.x.x.2 ? no sign of the rouge device? could itr be an ip corruption on the server with ip x.x.x.2 ?
0
 

Author Comment

by:nostrasystems
ID: 22659175
itr still gives ip address conflict when i boot that server?
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22659400
Do you have more than on NIC enabled?  Check the MAC of the rogue against your serve NIC's.
0
 

Author Comment

by:nostrasystems
ID: 22659448
i have two servers the first has two nics and the second one the problem has one nic all three dont match the offending mac address
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22659499
When you turn off the NIC that has the good IP (or shut down the server) can you still ping the duplicated IP?  Does anything answer?
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22659501
Hmm, if oyu have a different MAC address, then it has to be someplace.  Your environment is too large to search?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:nostrasystems
ID: 22659540
when i shut down the server and then ping x.x.x.2 nothing replys its like a phantom conflict?
0
 

Author Comment

by:nostrasystems
ID: 22659547
my environment is a school with maybe 50 workstations and 2 servers
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22659584
Clear the arp table, then ping, and then check.  No reply, but do you get an MAC from pinging the IP?
 
Can you just move the IP on the server to another IP?  I wonder if you would still get a conflict?
0
 

Author Comment

by:nostrasystems
ID: 22659647
ok im getting some where i cleared the arp cache and now with the offending server off i can ping the rouge address x.x.x.2 but i can get a host name or mac address how can i get this? tried nslookup x.x.x.2 but unknown
0
 

Author Comment

by:nostrasystems
ID: 22659662
i have also used angry ip scan and that finds something on x.x.x.2 but wont give netbios info or mac address
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22659665
Look at the ARP table again for the MAC address.  Try to go to that IP via IE browser, and also try telnet x.x.x.2 from CMD prompt.
 
Also, see http://sectools.org/os-detectors.html
 
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22659676
What ports do you find open on that IP?  (with Angry scanner)
0
 

Author Comment

by:nostrasystems
ID: 22659709
angry scan only gives ttl 64 and ip everything else is n/a
0
 

Author Comment

by:nostrasystems
ID: 22659738
ok i have the mac address its the same as the one in event viewer it says dynamic beside it does that mean something is being assigned x.x.x.2 by dhcp?
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22659756
Coiuld be.  Go to your DHCP server and see if it assigned a computer name to that IP.
 
If so, what is your DHCP scope?  Does your DHCP scope include x.x.x.2?
0
 

Author Comment

by:nostrasystems
ID: 22659776
just tried that its from 100 -> 199 so no lease has .2
0
 
LVL 8

Accepted Solution

by:
sstone55423 earned 500 total points
ID: 22659914
Well, if you don't want to go from computer to computer to check the MAC  (you can skip computers that show active leases in DHCP) the next step would be using nmap http://nmap.org/download.html
 
0
 

Author Comment

by:nostrasystems
ID: 22660049
i tried nmap but it doersnt tell me anything or am i missing something
0
 

Author Comment

by:nostrasystems
ID: 22660394
sorry now know how to use nmap :) http://nmap.org/download.html

i got it it was a 3com wireless access point conflicting arghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

yahoooooooooooooooooooooooooo

:) thanks all
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22660512
You are welcome!  Glad we could help you.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now