We help IT Professionals succeed at work.

Locating IP address origin.

William Brannon
on
Medium Priority
179 Views
Last Modified: 2019-08-05
Can someone help me determine how to find out where the IP address of 10.1.1.115 lives on my network. It appears to be a webpage. I'd like to turn it off with the abillity to turn it back on, then see if anyone complains that they are missing something

Message meets Alert condition
Virus/Worm detected: HTML/Framer.INF!tr Protocol: "HTTP" Email Address From:  Email Address To:
VIRUS REFERENCE URL: http://www.fortinet.com/ve?vn=HTML%2FFramer.INF%21tr
date=2019-08-02 time=09:04:13 devname=FG-Corporate devid=FG100D3G14808552 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1564751053 msg="File is infected." action="blocked" service="HTTP" sessionid=106413455 srcip=10.1.1.115 dstip=208.91.196.145 srcport=49975 dstport=80 srcintf="lan" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" policyid=92 proto=6 direction="incoming" quarskip="File-was-not-quarantined." virus="HTML/Framer.INF!tr" dtype="Virus" ref="http://www.fortinet.com/ve?vn=HTML%2FFramer.INF%21tr" virusid=8054799 url="http://ww1.useyourinterface.com/" profile="default" agent="Mozilla/5.0" analyticscksum="0a449968f2e6c0c358cecf9365b94041399735926a25573e1e37fbdb4e741f05" analyticssubmit="false" crscore=50 crlevel="critical"
Comment
Watch Question

RobertSystem Admin
CERTIFIED EXPERT

Commented:
You could use the ARP tables to track which port it is plugged into. (or if you have a good inventory that includes the MAC)
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Robert hit the nail on the head. Especially if you have managed switches, this shouldn't be too bad. Also, is that IP static or dynamic?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can get Advanced IP Scanner (free from Famatech) .  That will list IP addresses and computer names.  So that may also help you.
William BrannonDirector of Program Technology

Author

Commented:
Googling what I can about the ARP command. It doesn't appear that it will give me device name, correct?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
What type of switches do you have? ARP tables will let you know the port on a switch where a particular MAC address can be found (which you could shut down without having to physically locate the device). If the device/system got its IP via DHCP, then you will be able to see its MAC address. You may be able to get IP info also. Depends on what you have on your network....

Using a program like Angry IP Scanner will let you scan the entire subnet and it will try to look up the machine name. That may or may not help. Worth a shot.

Internal DNS would let you match up a machine name w/ an IP address.
Sr. Network Engineer
CERTIFIED EXPERT
Commented:
Actually - the ARP table will give you a the IP to MAC translation/assignment.  You then would use the MAC address table to find the port the MAC resides on.  These are both on your switches.

Depending on the type of switches, you may be able to do a layer 2 trace as well.

Generally on a switch your relevant commands are going to be:

show ip arp
or
show ip arp 10.1.1.115

this returns the MAC address of the the associated IP

Then run show mac- xxxx.yyyy.zzzz where xyz is the MAC address from the show arp above

This should return the port availability
atlas_shudderedSr. Network Engineer
CERTIFIED EXPERT

Commented:
another thing you could to to get the MAC is check you DHCP tables for the IP assignment and look for the MAC that is associated
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Did you try the suggestions above and included the IP Scanner referenced?
William BrannonDirector of Program Technology

Author

Commented:
I think Robert should also get some points for this solution as he originally set the direction for the solution. All of the information was helpful. Thanks for your help.