identify a machine

venusdoom
Topic Author
Offline
New Member

16 years 10 months ago #24374 by venusdoom

identify a machine was created by venusdoom

Hi,

I'm newbie in networking.I received a case were need to locate a machine(with given ip address).this machine performed query toward our cluster nodes,which affect the nodes performance.need to locate the ip before disconnect the machine from acess the network. thing is when i did simple ping, its unreachable/request time out.i used an ip locator, but the it unable to locate the address.

Smurf
Offline
Moderator

16 years 10 months ago #24389 by Smurf

Replied by Smurf on topic Re: identify a machine

Sounds like the IP address may be spoofed. I am guessing that the address is coming from a subnet within your network ? Where are you noticing the address (i.e. is it on a device on the same subnet) ?

If its on the same subnet, look at the ARP cache on that machine to try and identify the MAC address. It may be that this hasn't been spoofed and can help to identify the host in question using the Datalink LAyer address.

If the address is from a routed subnet, you will need to locate your Next Hop Gateway on that subnet where the rogue IP Address is coming from and check the ARP cache on that to try and identify it.

If it isn't showing up, then it may be being spoofed from a host on a completely different subnet. If thats the case you can add access-lists to ensure that spoofed traffic cannot come from other subnets to try and help mitigate (a little) from this.

i.e. if you have a subnet 192.168.0.0/16, on the router attached to this subnet you could have a few access lists to block traffic from anything other then this address range. It may be a little OTT on the internal network but this practice should be applied on the Ingress/Egress of you Internet facing firewall/router. Its known as RFC1918 filtering

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.

GTM
Offline
Junior Member

16 years 10 months ago #24400 by GTM

Replied by GTM on topic Re: identify a machine

Im quite new to this myself so if this is useless info to you sorry

one thing i would do if i cannot route to a particular host would be to add a static route on the machine im pinging from or RDP onto a box i know can access all areas of our network say for example a DNS or DHCP server and try the connection from there.

ramasamy
Offline
Junior Member

16 years 10 months ago #24537 by ramasamy

Replied by ramasamy on topic Re: identify a machine

Hi,

If the IP addresss is in your LAN segment then place the system on the same segment and try to ping the IP address even though you are not getting the replay.

Then execute the command arp -a in the command prompt.

you will get the MAC address of that system.

Loging to you core switch and execute the command

show mac-address-table | include 000e.d861.2b27 (mac address which you got)

you can see the entry on the trunk interface. Check which access switch is connected to that port and execute the same command in the Access switch.

Now you will get the port to which the system is connected and now you can shutdown the port.