Can a IP address be traced in a network?

We are running a network with a Windows 2003 Server and clients running Windows XP Professional.  Somehow a node is pumping into the system a 192.168&. IP address which is causing all kind of hassles. Is there anyway that this can be traced to where it is coming from?
Erwin KrischAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DiscusfishCommented:
Yes. If you look on a machine that has a rogue IP address, use ipconfig /all to find the IP of the rogue machine.
ping that machine
use arp -a to show you the physical addresses known to that machine (which will include the device acting as the rogue DHCP server)

Use the function in your managed switch(es) to find which port it's plugged into and go and kill the user responsible :)
0
packetguyCommented:
I have two questions.

First, what specific kinds of problems is the rogue 192.168.x. device causing?

Second, what is the normal IP address range of your network? If it is not 192.168.x.x, then you will have to check your network border devices and servers to see if they can reveal the Ethernet hardware address, also called the MAC (Media Access Control) address, of the offending device. If you can determine the MAC address for the problem 192.168 address (e.g., but running the "arp -a" command on your Windows server), then post the MAC address here as well.
0
DiscusfishCommented:
p.s. in the IPCONFIG output, you're looking for the DHCP server IP, if that wasn't clear.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Erwin KrischAuthor Commented:
The problem it is causing is that some computers (too many) are picking up that address 192.168... and users can't log in to their domain accounts (has an address (10.2.....)
0
packetguyCommented:
OK, the problem is that you have some other device on your network acting as a DHCP server. Most likely this is a wireless router or cable modem that somebody has plugged in without understanding what it does. Have you installed any devices like this lately? One fix after locating this device, is to simply remove it. Another is to configure it to disable its DHCP server.
0
DiscusfishCommented:
DHCPloc available in the windows XP sp 2 update should help you find the IP address of any DHCP server running on your network. Have a look at the answers in the other question on this subject you posted :)

http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38
download of the support tools including DHCPloc.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rick_O_ShayCommented:
Have you tracked down that mac address yet?
0
Erwin KrischAuthor Commented:
We are still working on the suggestions above. We need some time to sort all out.
0
Erwin KrischAuthor Commented:
All our computers (about 300 of them), have a unique computer name as an identifier. Is there any utility built in the OS or obtainable on the Internet that will read the IP addresses oh tne network, where instead of getting their MAC address we get their related computer name? We don't have a table in the building relating MAC and location, nor do we have access to our managed switches, but we can find any computer in the building if we know the name of the computer. At least the name of the machines which are not wireless. This would, somehow, solve the problem of finding the rogue node if it is one of our wired nodes. It would narrow the scope of our search.
0
androidx219Commented:
Cain & abel software can list the computer names along with their ip addresses on a network scan, but the scanning machine should be on the same subnet.
0
DiscusfishCommented:
burgkinstadt:
Assuming you've never registered the rogue access point, it won't have your handily assigned unique name, so you won't know where it is.
You *have* to use the MAC address method, which means you have to use the switching infrastructure to find it and take it down. I don't know of any other tool that will do this, because the switching infrastructure tends to be transparent to most protocols (on purpose).

Your other rather unpleasant option is to pull out network connections one by one from the switch until the rogue point stops responding to ping requests. Doing this to over 300 connections is going to be unpleasant, and annoy a lot of users.

You could also send out an email asking who the hell plugged in an access point and where...
0
Rick_O_ShayCommented:
The free version of SolarWinds ip address tracker will find the IP to DNS name association for each of your subnets.
As stated above you will still have to go into the switches and find what port this device is connected to by looking at their mac address tables.
To find the mac you are looking for go to one of the PCs that has received a DHCP address from the rogue server and do an ipconfig /all to get the DHCP server's IP address. Then do an arp -a to see what mac is associated with that IP. If it isn't in the arp cache ping that address and look again. Once you record the mac address go into the switches and find what port that mac is originating on.
If your switches support it you may be able to use DHCP snooping to prevent this kind of behavior from an unauthorized DHCP server.
0
packetguyCommented:
I've been through this process many times in the past, and I concur: you either need access to the managed switches, or do the unplug thing. However, you don't have to unplug one at a time. A faster way is to disco half the network each time, reducing the range by half at each iteration. So first unplug 150 users or so, which you can do by unplugging a group of switch uplinks at one time. If the ping stops you know the interlopper is in that half of your network. If it doesnt, then you know it's in the other half. Repeat the process with the half of the network where the target lives to keep narrowing down the suspect group. It's called a Binary Search, and will quickly converge on the evil port in just seven or eight iterations. The suspect population will fall from 150 to 75 to 38 to 19 to 9 to 4 to 2 to 1, depending on how precisely you can test each group in half.

I used to use this technique back before managed switches on a university network with 1500 devices. Took only a few minutes to isolate a device. If downtime is an issue, you can do it at night.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.