How to find where rogue IP address is coming from?

Posted on 2008-11-05
Last Modified: 2012-08-14
I discovered an IP address being used on the network that I did not have any records of. It is a static address within our local private range. The ping is around a 27ms average, which seems a little high. LanSpy gave me the mac address, which starts with 00:90:10... and the manufacturer is "SIMULATION LABORATORIES, INC.". I then ran a port mapper on all of our switches and that IP address or MAC address does not show up on any of them. How do I find where/what this is?
Question by:robw24
    LVL 7

    Accepted Solution

    Switches usually keep MAC addresses for 30 seconds and delete if there is no traffic. Run ping with -t option and keep it running while you check switches.
    LVL 3

    Expert Comment

    This sounds like it is an issue where a virtual program (something like VMWARE for example) is being used. My suggestion is for you to go into your switch and debug the activity coming into or out of it through the ports by sending data to the PC that's using this rogue IP. By pinging the address for example, that should help you to extract which port the switch is sending the data out of and you should be able to solve your mystery.

    I don't think that you didn't try a lot of means so we have to get creative.
    LVL 7

    Expert Comment

    You can disable and then enable, right after  links/ports, see if ping -t .x.x.x.x will stop, and keep following path further down, eventially, ending up on the port to wich "rogue" is connected to............if this will make simple enouf for you.
    Disable/enable, will not effect regular internet users too much, unless there is sensative trafiic needs tob eon all the time.
    LVL 1

    Author Closing Comment

    This worked perfectly. Using the ping -t command kept data flowing and thus I was able to see it mapped to a switch port, which I could not see before before no data was being sent or received. I traced it to a manufacturing machine controller that I connected years back to an NFS share, but forgot to make records of it or setup a DNS A record. Thanks for your help.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now