Security Basics mailing list archives
RE: How to find a changing IP on ethernet network
From: David Brown <davidbrown () coal gov uk>
Date: Thu, 26 Feb 2004 12:00:08 -0000
You can use the port security feature on Cisco switches to do this but from the sounds of your network ( all hubs? ) thats not an option. It's also a pain in the backside to manage if you dont stay on top of it. Probably the best thing for this is to run arpwatch or similar and diff the output to look for changes. If you dont have a 'nix box to run it on then have a look at Cygwin as an alternative to introducing a new OS. Dave. Dave Brown, Network & Security Manager, The Coal Authority, Tel : 01623 638324 -----Original Message----- From: Bhavani Suresh [mailto:bhavani.suresh () adnoc-dist co ae] Sent: Wednesday, February 25, 2004 10:36 AM To: Gideon T. Rasmussen, CISSP, CISM, CFSO, SCSA; security-basics () securityfocus com Subject: RE: How to find a changing IP on ethernet network Following up this..i want to know at the network level any software can bind the MAC Addresses to the ports (and to take current MAC Addresses in the network automatically)so that no new ip address can be allocated without the consent of the network admin. This will also ensure security so that non one just plugs in a pc or laptop.. Any idea.. -----Original Message----- From: Gideon T. Rasmussen, CISSP, CISM, CFSO, SCSA [mailto:lists () infostruct net] Sent: Saturday, February 21, 2004 20:12 To: security-basics () securityfocus com Subject: Re: How to find a changing IP on ethernet network Ivan, This is an interesting situation. Here are a few possible ways to address it: 1. Send an e-mail to the user community explaining the problem and asking them to leave their IP address configurations alone. 2. In case you don't know, as the new system boots it announces its IP address to the network. If another system already has that IP address, it will reply and the new system will shut down the interface running the duplicate IP. a. From the new system, run the arp command (arp -a). C:\> arp -a Interface: 192.168.2.100 --- 0x20002 Internet Address Physical Address Type 192.168.2.1 00-06-25-c0-93-65 dynamic This will list the IP address and associated MAC (hardware) address (e.g. 00-06-25-c0-93-65). b. Now all you need to do is find out which system has that MAC address: C:\> ipconfig /all (output abbreviated) Physical Address. . . . . . . . . : 00-06-25-c0-93-65 3. You could also use tcpdump or windump (http://windump.polito.it) to sniff the network traffic for that specific IP and view the resulting dump file with Ethereal (http://www.ethereal.com). This is a bit advanced for the average user. If you have any additional questions, please do not hesitate to contact me. Kind regards, Gideon Gideon T. Rasmussen CISSP, CISM, CFSO, SCSA Boca Raton, FL gideon () infostruct net National Security Awareness Day - September 10, 2004 - Are you aware? Subject: How to find a changing IP on ethernet network From: Ivan Andres Hernandez Puga <ivan.hernandez () globalsis com ar> Date: Fri, 20 Feb 2004 11:54:29 -0300 To: security-basics () securityfocus com Hello. I have a client with a simple Ethernet network with HUB's connecting and there is one person that is changing it's IP and creating conflicts. What would you do to track down that person? i mean, to find who does that? Thanks! Ivan Hernandez ------------------------------------------------------------------------ --- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_security-basics_040219 ------------------------------------------------------------------------ ---- ************************************************************ Please note that our domain name has been changed to: adnoc-dist.ae; Hence please change the email ID to reflect the new domain name. This communication may contain confidential information. If you are not the intended recipient, then please inform us immediately. Adnoc Distribution-Tel:02-6771300 Fax:02-6722322 Email:webmaster () adnoc-dist ae Website: www.adnoc-dist.ae This message was scanned @ Adnoc distribution ************************************************************ ************************************************************ Please note that our domain name has been changed to: adnoc-dist.ae; Hence please change the email ID to reflect the new domain name. This communication may contain confidential information. If you are not the intended recipient, then please inform us immediately. Adnoc Distribution-Tel:02-6771300 Fax:02-6722322 Email:webmaster () adnoc-dist ae Website: www.adnoc-dist.ae This message was scanned @ Adnoc distribution ************************************************************ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- **************************************************************************** This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s) please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error please notify us by e-mail or telephone ((+44) 01623 427162) and then delete the e-mail and any copies of it. This communication is from The Coal Authority whose principal address is at 200 Lichfield Lane, Berry Hill, Mansfield, Notts, NG18 4RG, England. **************************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: How to find a changing IP on ethernet network, (continued)
- Re: How to find a changing IP on ethernet network Gideon T. Rasmussen, CISSP, CISM, CFSO, SCSA (Feb 25)
- RE: How to find a changing IP on ethernet network Bruyere, Michel (Feb 25)
- RE: How to find a changing IP on ethernet network Bhavani Suresh (Feb 25)
- Re: How to find a changing IP on ethernet network Gideon T. Rasmussen, CISSP, CISM, CFSO, SCSA (Feb 26)
- RE: How to find a changing IP on ethernet network patrick (Feb 26)
- RE: How to find a changing IP on ethernet network David Brown (Feb 25)
- Re: How to find a changing IP on ethernet network hassan hani (Feb 25)
- Re: How to find a changing IP on ethernet network Wim Peeters (Feb 25)
- RE: How to find a changing IP on ethernet network Josh Mills (Feb 25)
- RE: How to find a changing IP on ethernet network Mike (Feb 26)
- RE: How to find a changing IP on ethernet network David Brown (Feb 26)