Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 383
  • Last Modified:

Can a IP address be traced in a network?

We are running a network with a Windows 2003 Server and clients running Windows XP Professional.  Somehow a node is pumping into the system a 192.168&. IP address which is causing all kind of hassles. Is there anyway that this can be traced to where it is coming from?
0
Erwin Krisch
Asked:
Erwin Krisch
  • 4
  • 3
  • 3
  • +2
4 Solutions
 
DiscusfishCommented:
Yes. If you look on a machine that has a rogue IP address, use ipconfig /all to find the IP of the rogue machine.
ping that machine
use arp -a to show you the physical addresses known to that machine (which will include the device acting as the rogue DHCP server)

Use the function in your managed switch(es) to find which port it's plugged into and go and kill the user responsible :)
0
 
packetguyCommented:
I have two questions.

First, what specific kinds of problems is the rogue 192.168.x. device causing?

Second, what is the normal IP address range of your network? If it is not 192.168.x.x, then you will have to check your network border devices and servers to see if they can reveal the Ethernet hardware address, also called the MAC (Media Access Control) address, of the offending device. If you can determine the MAC address for the problem 192.168 address (e.g., but running the "arp -a" command on your Windows server), then post the MAC address here as well.
0
 
DiscusfishCommented:
p.s. in the IPCONFIG output, you're looking for the DHCP server IP, if that wasn't clear.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Erwin KrischAuthor Commented:
The problem it is causing is that some computers (too many) are picking up that address 192.168... and users can't log in to their domain accounts (has an address (10.2.....)
0
 
packetguyCommented:
OK, the problem is that you have some other device on your network acting as a DHCP server. Most likely this is a wireless router or cable modem that somebody has plugged in without understanding what it does. Have you installed any devices like this lately? One fix after locating this device, is to simply remove it. Another is to configure it to disable its DHCP server.
0
 
DiscusfishCommented:
DHCPloc available in the windows XP sp 2 update should help you find the IP address of any DHCP server running on your network. Have a look at the answers in the other question on this subject you posted :)

http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38
download of the support tools including DHCPloc.
0
 
Rick_O_ShayCommented:
Have you tracked down that mac address yet?
0
 
Erwin KrischAuthor Commented:
We are still working on the suggestions above. We need some time to sort all out.
0
 
Erwin KrischAuthor Commented:
All our computers (about 300 of them), have a unique computer name as an identifier. Is there any utility built in the OS or obtainable on the Internet that will read the IP addresses oh tne network, where instead of getting their MAC address we get their related computer name? We don't have a table in the building relating MAC and location, nor do we have access to our managed switches, but we can find any computer in the building if we know the name of the computer. At least the name of the machines which are not wireless. This would, somehow, solve the problem of finding the rogue node if it is one of our wired nodes. It would narrow the scope of our search.
0
 
androidx219Commented:
Cain & abel software can list the computer names along with their ip addresses on a network scan, but the scanning machine should be on the same subnet.
0
 
DiscusfishCommented:
burgkinstadt:
Assuming you've never registered the rogue access point, it won't have your handily assigned unique name, so you won't know where it is.
You *have* to use the MAC address method, which means you have to use the switching infrastructure to find it and take it down. I don't know of any other tool that will do this, because the switching infrastructure tends to be transparent to most protocols (on purpose).

Your other rather unpleasant option is to pull out network connections one by one from the switch until the rogue point stops responding to ping requests. Doing this to over 300 connections is going to be unpleasant, and annoy a lot of users.

You could also send out an email asking who the hell plugged in an access point and where...
0
 
Rick_O_ShayCommented:
The free version of SolarWinds ip address tracker will find the IP to DNS name association for each of your subnets.
As stated above you will still have to go into the switches and find what port this device is connected to by looking at their mac address tables.
To find the mac you are looking for go to one of the PCs that has received a DHCP address from the rogue server and do an ipconfig /all to get the DHCP server's IP address. Then do an arp -a to see what mac is associated with that IP. If it isn't in the arp cache ping that address and look again. Once you record the mac address go into the switches and find what port that mac is originating on.
If your switches support it you may be able to use DHCP snooping to prevent this kind of behavior from an unauthorized DHCP server.
0
 
packetguyCommented:
I've been through this process many times in the past, and I concur: you either need access to the managed switches, or do the unplug thing. However, you don't have to unplug one at a time. A faster way is to disco half the network each time, reducing the range by half at each iteration. So first unplug 150 users or so, which you can do by unplugging a group of switch uplinks at one time. If the ping stops you know the interlopper is in that half of your network. If it doesnt, then you know it's in the other half. Repeat the process with the half of the network where the target lives to keep narrowing down the suspect group. It's called a Binary Search, and will quickly converge on the evil port in just seven or eight iterations. The suspect population will fall from 150 to 75 to 38 to 19 to 9 to 4 to 2 to 1, depending on how precisely you can test each group in half.

I used to use this technique back before managed switches on a university network with 1500 devices. Took only a few minutes to isolate a device. If downtime is an issue, you can do it at night.  
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now