?
Solved

Can a IP address be traced in a network?

Posted on 2010-01-13
13
Medium Priority
?
369 Views
Last Modified: 2012-05-08
We are running a network with a Windows 2003 Server and clients running Windows XP Professional.  Somehow a node is pumping into the system a 192.168&. IP address which is causing all kind of hassles. Is there anyway that this can be traced to where it is coming from?
0
Comment
Question by:Erwin Krisch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 6

Expert Comment

by:Discusfish
ID: 26302418
Yes. If you look on a machine that has a rogue IP address, use ipconfig /all to find the IP of the rogue machine.
ping that machine
use arp -a to show you the physical addresses known to that machine (which will include the device acting as the rogue DHCP server)

Use the function in your managed switch(es) to find which port it's plugged into and go and kill the user responsible :)
0
 
LVL 11

Expert Comment

by:packetguy
ID: 26302420
I have two questions.

First, what specific kinds of problems is the rogue 192.168.x. device causing?

Second, what is the normal IP address range of your network? If it is not 192.168.x.x, then you will have to check your network border devices and servers to see if they can reveal the Ethernet hardware address, also called the MAC (Media Access Control) address, of the offending device. If you can determine the MAC address for the problem 192.168 address (e.g., but running the "arp -a" command on your Windows server), then post the MAC address here as well.
0
 
LVL 6

Expert Comment

by:Discusfish
ID: 26302425
p.s. in the IPCONFIG output, you're looking for the DHCP server IP, if that wasn't clear.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Erwin Krisch
ID: 26302756
The problem it is causing is that some computers (too many) are picking up that address 192.168... and users can't log in to their domain accounts (has an address (10.2.....)
0
 
LVL 11

Expert Comment

by:packetguy
ID: 26302771
OK, the problem is that you have some other device on your network acting as a DHCP server. Most likely this is a wireless router or cable modem that somebody has plugged in without understanding what it does. Have you installed any devices like this lately? One fix after locating this device, is to simply remove it. Another is to configure it to disable its DHCP server.
0
 
LVL 6

Accepted Solution

by:
Discusfish earned 1000 total points
ID: 26302801
DHCPloc available in the windows XP sp 2 update should help you find the IP address of any DHCP server running on your network. Have a look at the answers in the other question on this subject you posted :)

http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38
download of the support tools including DHCPloc.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26309826
Have you tracked down that mac address yet?
0
 

Author Comment

by:Erwin Krisch
ID: 26312145
We are still working on the suggestions above. We need some time to sort all out.
0
 

Author Comment

by:Erwin Krisch
ID: 26312212
All our computers (about 300 of them), have a unique computer name as an identifier. Is there any utility built in the OS or obtainable on the Internet that will read the IP addresses oh tne network, where instead of getting their MAC address we get their related computer name? We don't have a table in the building relating MAC and location, nor do we have access to our managed switches, but we can find any computer in the building if we know the name of the computer. At least the name of the machines which are not wireless. This would, somehow, solve the problem of finding the rogue node if it is one of our wired nodes. It would narrow the scope of our search.
0
 
LVL 1

Expert Comment

by:androidx219
ID: 26312623
Cain & abel software can list the computer names along with their ip addresses on a network scan, but the scanning machine should be on the same subnet.
0
 
LVL 6

Assisted Solution

by:Discusfish
Discusfish earned 1000 total points
ID: 26313289
burgkinstadt:
Assuming you've never registered the rogue access point, it won't have your handily assigned unique name, so you won't know where it is.
You *have* to use the MAC address method, which means you have to use the switching infrastructure to find it and take it down. I don't know of any other tool that will do this, because the switching infrastructure tends to be transparent to most protocols (on purpose).

Your other rather unpleasant option is to pull out network connections one by one from the switch until the rogue point stops responding to ping requests. Doing this to over 300 connections is going to be unpleasant, and annoy a lot of users.

You could also send out an email asking who the hell plugged in an access point and where...
0
 
LVL 21

Assisted Solution

by:Rick_O_Shay
Rick_O_Shay earned 500 total points
ID: 26313796
The free version of SolarWinds ip address tracker will find the IP to DNS name association for each of your subnets.
As stated above you will still have to go into the switches and find what port this device is connected to by looking at their mac address tables.
To find the mac you are looking for go to one of the PCs that has received a DHCP address from the rogue server and do an ipconfig /all to get the DHCP server's IP address. Then do an arp -a to see what mac is associated with that IP. If it isn't in the arp cache ping that address and look again. Once you record the mac address go into the switches and find what port that mac is originating on.
If your switches support it you may be able to use DHCP snooping to prevent this kind of behavior from an unauthorized DHCP server.
0
 
LVL 11

Assisted Solution

by:packetguy
packetguy earned 500 total points
ID: 26315179
I've been through this process many times in the past, and I concur: you either need access to the managed switches, or do the unplug thing. However, you don't have to unplug one at a time. A faster way is to disco half the network each time, reducing the range by half at each iteration. So first unplug 150 users or so, which you can do by unplugging a group of switch uplinks at one time. If the ping stops you know the interlopper is in that half of your network. If it doesnt, then you know it's in the other half. Repeat the process with the half of the network where the target lives to keep narrowing down the suspect group. It's called a Binary Search, and will quickly converge on the evil port in just seven or eight iterations. The suspect population will fall from 150 to 75 to 38 to 19 to 9 to 4 to 2 to 1, depending on how precisely you can test each group in half.

I used to use this technique back before managed switches on a university network with 1500 devices. Took only a few minutes to isolate a device. If downtime is an issue, you can do it at night.  
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Is your computer hacked? learn how to detect and delete malware in your PC
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question