Link to home
Start Free TrialLog in
Avatar of aarondown
aarondown

asked on

Rogue device and MAC address tracing

Ok, I'll start by describing our setup:

LAN with 1 router
plugged into router is: 1 cable broadband modem, 3 switches
Switches connect to floor sockets in the office (therefore I can identify any device if I know which switch and port it is connected to)
MAC environment
Running Mac OS 10.4 and 10.5

The problem:
We have a NAS with a fixed IP of 192.168.0.14.
Recently I have noticed problems of it disconnecting and received a warning that it's IP address was taken.
It seems that another device is repeatedly attempting to utilise this IP address. Problem is, when I look at DHCP table of the router, I only have the MAC address.
I have ruled out as much of the office as I have access to but have not yet found the offending connection.

Is there any way (in a Mac OSX environment) of identifying who the MAC address belongs to, what port of my switches it is connected to or any other info that might help me trace this?

Any help greatly appreciated.
Avatar of jhyiesla
jhyiesla
Flag of United States of America image

You could go to your Mac and open up a Terminal from the Utilities are and do arp -a.  This will return all your devices with their mac address and IP address.
Avatar of aarondown
aarondown

ASKER

I currently have a DHCP table from my router web interface which lists the IP, Host name (if available) and MAC address, this is where I identified the MAC address of a device which is not the NAS but has been assigned 192.168.0.14.
Have you tried doing a lookup in the network utility for the IP address?
Get this:

; <<>> DiG 9.4.2-P2 <<>> -x 192.168.0.14 any +multiline +nocomments +nocmd +noquestion +nostats +search
;; global options:  printcmd
In a Windows environment that usually means that it's something that's not in the DNS... do you have a DNS server running?

Have you tried doing a remote control session to the IP either through VNC or some other remote control session or by putting the IP in a browser?  If it's a Mac you should be able to start some remote control session unless you have that disabled.  If it's something else like a printer or managed switch, putting the IP in a browser may start some built in web management interface.
SOLUTION
Avatar of strung
strung
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If that doesn't fix the problem, then you know that somewhere on your LAN is another device using the same fixed IP address as the NAS, a wireless intruder perhaps.
P.S., if you change the DHCP server range, you will have to reboot all computer on the network so that they obtain new IP's.
Strung: I had thought of this option but wasn't sure if it was viable until you confirmed it. I have changed the IP pool to run from 192.68.0.15 onwards, thus avoiding my static ip of 192.168.0.14.

All of the machines have obtained new IPs and it seemed to be working until I came back in this morning and the NAS had disconnected again. My theory, (but please correct me if this isn't possible) is that another device, usually at night after 6pm, is trying to use the same IP as the NAS. It kicks us off our IP until I 'attach' it again in Finder when it kicks off the other device. If this is possible/probable the problem is how do I identify the device? I have the MAC address of it but no way of knowing what it is.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It identifies the vendor as Hewlett Packard, which is unfortunately quite difficult to trace because there's a lot of HP products! However, most of the office is Apple based, but there are some HP printers in the office.

If it is outside the office where can I start to trace the 'intrusion'?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I am checking the MAC addresses of the printers.

We do have an Airport base that is connected to us. I have accessed the management of it but I don;t seem to be able to limit the connections by MAC address or IP. Any ideas?
I am pretty sure the Airport base station supports MAC address filtering. I will have a look at mine when I get home tonight.
If your Airport is the Airport Extreme and you have the latest version of the Airport Utility, go to Manual Setup: Airport Access: to set up MAC address filtering.
And if you do have an Airport Extreme and if you are using MAC address filtering, make sure that the default is to block everything.  When you set it up, the default goes to all everything not mentioned by MAC address to have access all the time.  Change that to not allowing anything.  This means that only those devices that you have specified can get to the wireless network.
I have limited the Airport access to just three MAC addresses and I am still receiving notices from my NAS that
"MAC address 00:01:E6:61:37:3F claims to have our IP address (192.168.0.14) (duplicate IP conflict likely)"

I still have no idea what this device is (other than that it is an HP product)  or where they are getting in!
I'm not sure what else I can do!
It seems to me that it has to be something within your LAN. If it is an HP product, it is likely a scanner or printer, but it could also be an HP or Compaq laptop.
My stupidity has been revealed!
It's an HP laserjet 5000 printer!
Problem now is that I can't seem to access the menu in the printer to change it to a manual IP. and I can't connect to it via browser because the config page I printed says it still has the 192.168.0.14 address, which is our NAS!
I appreciate that this might be a new topic but any suggestions appreciated
Do you have an alternate way to connect to it...like USB?  You could take a laptop of put another computer on it that way.  If not, you could take the printer off the LAN and build your own two device LAN with the printer and a computer connected by cross over cable or a small hub or switch.  Make the PC a device in the same segment as the printer and change it.

Or you could do a cold reset on the printer in which case it would get an IP via DHCP if you're using that and then you could access it via HP Jet DIrect software.  http://www.laserquipt.com/support/idx/0/121/article/Cold-Reset-Steps-for-HP-Printers-.html
Sorry, managed to find the correct menu and gave the printer a manual IP.

Assuming it's now fixed, thanks for all your help.