opq

Locating A Rogue PC

Recommended Posts

Hi,

Lately on a LAN there's been a machine with a fake IP and MAC address generating traffic and slowing down the LAN. Does anyone have any experience or advice locating culprits like this? It's a 500 PC network so disconnecting individual nodes won't really help.

Thanks.

Share this post


Link to post
Share on other sites
Hi,

Lately on a LAN there's been a machine with a fake IP and MAC address generating traffic and slowing down the LAN. Does anyone have any experience or advice locating culprits like this? It's a 500 PC network so disconnecting individual nodes won't really help.

Thanks.

196249[/snapback]

well, i've never touched managed switches, but i think they have something that might help you. (maybe a laptop with a packet sniffer you could connect to the different switches and have the ports mirrored?/replicated? over to teh one the laptop is on).

You could disconnect switches at a time ;) to narrow it down.

If you have a database of legitimate users, you can compare what legitimate users you are getting traffic from, to see if its a corrupted legit user, or something foreign completely.

but thats just me speaking out of my non networking admin'ing ass.

Share this post


Link to post
Share on other sites

Any wireless on the network? That can complicate your life infinitely more to try to find the box as it could even be outside the confines of your office. If it is all hard wired, then using some kind of port monitoring on each switch will help you isolate it. For the future, getting switches that support SNMP is very useful as you'll be able to monitor traffic via a web-based interface with graphs to see what ports are using how much bandwidth and at what intervals with MRTG or similar.

Share this post


Link to post
Share on other sites

There are about 500 PCs so disconnecting bits probably won't be possible.

Yes we have wireless but I don't think the traffic is coming from the wireless (we've pulled the plug from the wireless APs)

MRTG won't really help because it'll only give me an idea of the throughput in general.

Thanks for the suggestions though.

Share this post


Link to post
Share on other sites

Having managed switches in the core of you network would simplify matters greatly. Many managed switches allow you to look at their MAC address table which would tell you which port a MAC address is associated.

Assuming simple switches the only way I see to find a rouge machine would be to set up a laptop with a packet sniffer and use a hub to insert it into various sections of your LAN. My understanding is that modern ethernet switches to not forward all network traffic to each switch port so you can use this method to isolate which portion of your network the machine is in.

There are about 500 PCs so disconnecting bits probably won't be possible.

Yes we have wireless but I don't think the traffic is coming from the wireless (we've pulled the plug from the wireless APs)

MRTG won't really help because it'll only give me an idea of the throughput in general.

Thanks for the suggestions though.

196551[/snapback]

Share this post


Link to post
Share on other sites

Although it's not strictly a techie solution, if you have a current and accurate physical inventory of your machines, you could walk the building physically looking for the oddball out. When I worked at a building with about 350 machines, we could pick out the odd machine in about 1/2hr using 2 people to look. We were never looking for zombie machines, just unauthorized computers on the network (usually brought in by employees who thought they would use the organization as their own personal lan party or porn repository). It was a small private school and at the time, managed switches, packet sniffers, etc. were too far out of the price range.

Chris

Share this post


Link to post
Share on other sites
Having managed switches in the core of you network would simplify matters greatly. Many managed switches allow you to look at their MAC address table which would tell you which port a MAC address is associated.

Assuming simple switches the only way I see to find a rouge machine would be to set up a laptop with a packet sniffer and use a hub to insert it into various sections of your LAN. My understanding is that modern ethernet switches to not forward all network traffic to each switch port so you can use this method to isolate which portion of your network the machine is in.

There are about 500 PCs so disconnecting bits probably won't be possible.

Yes we have wireless but I don't think the traffic is coming from the wireless (we've pulled the plug from the wireless APs)

MRTG won't really help because it'll only give me an idea of the throughput in general.

Thanks for the suggestions though.

196551[/snapback]

196574[/snapback]

Share this post


Link to post
Share on other sites

We have a core switch, and even disconnected parts of the network but apparently the BT traffic is coming from the core switch itself..

Share this post


Link to post
Share on other sites
We have a core switch, and even disconnected parts of the network but apparently the BT traffic is coming from the core switch itself..

196641[/snapback]

What kind of gear do you have, and what is the IP and MAC address that you're seeing?

Share this post


Link to post
Share on other sites
It's a 3Com 4400 I think. According to logs the source is 127.0.0.1 O.o.

196661[/snapback]

Kick your switch. Kicking always fixes computers :lol: .

If the switch is acting up then disconnect it, pray, burn an effigy of the devil, and power it back up.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now