?
Solved

Rogue device and MAC address tracing

Posted on 2009-02-24
21
Medium Priority
?
1,108 Views
Last Modified: 2013-12-02
Ok, I'll start by describing our setup:

LAN with 1 router
plugged into router is: 1 cable broadband modem, 3 switches
Switches connect to floor sockets in the office (therefore I can identify any device if I know which switch and port it is connected to)
MAC environment
Running Mac OS 10.4 and 10.5

The problem:
We have a NAS with a fixed IP of 192.168.0.14.
Recently I have noticed problems of it disconnecting and received a warning that it's IP address was taken.
It seems that another device is repeatedly attempting to utilise this IP address. Problem is, when I look at DHCP table of the router, I only have the MAC address.
I have ruled out as much of the office as I have access to but have not yet found the offending connection.

Is there any way (in a Mac OSX environment) of identifying who the MAC address belongs to, what port of my switches it is connected to or any other info that might help me trace this?

Any help greatly appreciated.
0
Comment
Question by:aarondown
  • 8
  • 8
  • 5
21 Comments
 
LVL 28

Expert Comment

by:jhyiesla
ID: 23724043
You could go to your Mac and open up a Terminal from the Utilities are and do arp -a.  This will return all your devices with their mac address and IP address.
0
 
LVL 1

Author Comment

by:aarondown
ID: 23724155
I currently have a DHCP table from my router web interface which lists the IP, Host name (if available) and MAC address, this is where I identified the MAC address of a device which is not the NAS but has been assigned 192.168.0.14.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 23724210
Have you tried doing a lookup in the network utility for the IP address?
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
LVL 1

Author Comment

by:aarondown
ID: 23724655
Get this:

; <<>> DiG 9.4.2-P2 <<>> -x 192.168.0.14 any +multiline +nocomments +nocmd +noquestion +nostats +search
;; global options:  printcmd
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 23724706
In a Windows environment that usually means that it's something that's not in the DNS... do you have a DNS server running?

Have you tried doing a remote control session to the IP either through VNC or some other remote control session or by putting the IP in a browser?  If it's a Mac you should be able to start some remote control session unless you have that disabled.  If it's something else like a printer or managed switch, putting the IP in a browser may start some built in web management interface.
0
 
LVL 53

Assisted Solution

by:strung
strung earned 2000 total points
ID: 23724919
The problem and solution is much simpler than that.

The problem is that your DHCP server won't know about the NAS at 192.168.0.14 and can just randomly hand that address out to another device.

What you have to do is to change the range of IP addresses being handed out by your DHCP server, or, alternatively, change the IP address of the NAS. If you are using fixed IP addresses the fixed addresses must be outside the range use by the DHCP server (but in the same subnet.)

For instance, if your DHCP server is set to use the range 192.168.0.2 to 192.168.0.50, set the NAS to 192.168.0.60.

Alternatively, leave the NAS at 192.168.0.14 and change the DHCP server to use a range from 192.168.0.50 to 192.168.0.100.

That way there is no possibilty of interference between devices with fixed IP addresses and those that obtain their addresses by DHCP.
0
 
LVL 53

Expert Comment

by:strung
ID: 23724941
If that doesn't fix the problem, then you know that somewhere on your LAN is another device using the same fixed IP address as the NAS, a wireless intruder perhaps.
0
 
LVL 53

Expert Comment

by:strung
ID: 23724958
P.S., if you change the DHCP server range, you will have to reboot all computer on the network so that they obtain new IP's.
0
 
LVL 1

Author Comment

by:aarondown
ID: 23743318
Strung: I had thought of this option but wasn't sure if it was viable until you confirmed it. I have changed the IP pool to run from 192.68.0.15 onwards, thus avoiding my static ip of 192.168.0.14.

All of the machines have obtained new IPs and it seemed to be working until I came back in this morning and the NAS had disconnected again. My theory, (but please correct me if this isn't possible) is that another device, usually at night after 6pm, is trying to use the same IP as the NAS. It kicks us off our IP until I 'attach' it again in Finder when it kicks off the other device. If this is possible/probable the problem is how do I identify the device? I have the MAC address of it but no way of knowing what it is.
0
 
LVL 53

Accepted Solution

by:
strung earned 2000 total points
ID: 23744660
The MAC address may be of some help. The first six digits of the MAC address will tell you the name of the NIC vendor:  http://coffer.com/mac_find/
0
 
LVL 1

Author Comment

by:aarondown
ID: 23749359
It identifies the vendor as Hewlett Packard, which is unfortunately quite difficult to trace because there's a lot of HP products! However, most of the office is Apple based, but there are some HP printers in the office.

If it is outside the office where can I start to trace the 'intrusion'?
0
 
LVL 53

Assisted Solution

by:strung
strung earned 2000 total points
ID: 23749519
It won't likely be from outside the office unless you have a wireless network as well as your wired one. If you do have a wireless network, try using the MAC address filtering facility of your wireless router to block wireless access by that IP address.

In the meantime, can you check the MAC addresses of your printers to see if one of them might be the culprit?

It might also be an HP laptop.

Would someone be using an HP laptop in your office at night?
0
 
LVL 1

Author Comment

by:aarondown
ID: 23749941
I am checking the MAC addresses of the printers.

We do have an Airport base that is connected to us. I have accessed the management of it but I don;t seem to be able to limit the connections by MAC address or IP. Any ideas?
0
 
LVL 53

Expert Comment

by:strung
ID: 23749991
I am pretty sure the Airport base station supports MAC address filtering. I will have a look at mine when I get home tonight.
0
 
LVL 53

Expert Comment

by:strung
ID: 23754951
If your Airport is the Airport Extreme and you have the latest version of the Airport Utility, go to Manual Setup: Airport Access: to set up MAC address filtering.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 23755132
And if you do have an Airport Extreme and if you are using MAC address filtering, make sure that the default is to block everything.  When you set it up, the default goes to all everything not mentioned by MAC address to have access all the time.  Change that to not allowing anything.  This means that only those devices that you have specified can get to the wireless network.
0
 
LVL 1

Author Comment

by:aarondown
ID: 23977822
I have limited the Airport access to just three MAC addresses and I am still receiving notices from my NAS that
"MAC address 00:01:E6:61:37:3F claims to have our IP address (192.168.0.14) (duplicate IP conflict likely)"

I still have no idea what this device is (other than that it is an HP product)  or where they are getting in!
I'm not sure what else I can do!
0
 
LVL 53

Expert Comment

by:strung
ID: 23977938
It seems to me that it has to be something within your LAN. If it is an HP product, it is likely a scanner or printer, but it could also be an HP or Compaq laptop.
0
 
LVL 1

Author Comment

by:aarondown
ID: 23977970
My stupidity has been revealed!
It's an HP laserjet 5000 printer!
Problem now is that I can't seem to access the menu in the printer to change it to a manual IP. and I can't connect to it via browser because the config page I printed says it still has the 192.168.0.14 address, which is our NAS!
I appreciate that this might be a new topic but any suggestions appreciated
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 23978112
Do you have an alternate way to connect to it...like USB?  You could take a laptop of put another computer on it that way.  If not, you could take the printer off the LAN and build your own two device LAN with the printer and a computer connected by cross over cable or a small hub or switch.  Make the PC a device in the same segment as the printer and change it.

Or you could do a cold reset on the printer in which case it would get an IP via DHCP if you're using that and then you could access it via HP Jet DIrect software.  http://www.laserquipt.com/support/idx/0/121/article/Cold-Reset-Steps-for-HP-Printers-.html
0
 
LVL 1

Author Comment

by:aarondown
ID: 23978123
Sorry, managed to find the correct menu and gave the printer a manual IP.

Assuming it's now fixed, thanks for all your help.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of new and distinct gadgets are making their appearance every other day. The latest gadget that has wooed the attention of all gadget lovers and non gadget lovers alike is the Smartwatch. This tiny gadget is capable of offering live access to …
This is a tech scam I recently helped my parents through.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question