Educause Security Discussion mailing list archives
Re: IP address conflicts / locating
From: Graham Toal <gtoal () UTPA EDU>
Date: Mon, 19 Dec 2005 09:02:04 -0600
L2-L3 data does not answer the question of where on the network topology those machines were located when they used the IP. At present, NOG staff and Unit Computing Specialists (UCS) can employ a manual, time-consuming process to find the current location of a client machine. The process requires that the staff member have direct access to the switches in the Distribution and Access tiers and also have some knowledge about the topology of the network.
I had a crack at doing something similar over the last couple of years at UTPA. Although I'm no longer with the Infosec department (i.e. no longer maintaining the tools) I may be able to offer some help. In particular I hacked up a web based utility which explores all the switches in your network looking for a particular machine. Generally you will find several switches which reference the desired MAC but only one of them will have that MAC and *only* that MAC on a specific port, which usually means that is the desired port rather than an uplink port. You'll need a list of all the IP addresses of your managed switches, and it helps a *lot* if every time your networking people locate a physical port, they tag the port in the switch with the location, so that the port<->location database is implicit in the switch configuration, rather than being held separately in some external database that rapidly gets out of date. Here's the source of the web-based tracing utility: http://infos.panam.edu/src/nettools/ip.c It needs to run on a unix with snmpwalk available. It's not totally automated yet but you may still find it useful. (I've stripped out UTPA's local knowlege from the source so you'll need to modify it yourselves to add your switch & router addresses etc) If your switches don't use community 'public' you'll either have to embed the actual community in the code (not recommended) or add an extra field to the web form to allow the community to be entered (and run it under https). I have a few other odds and ends and I'll watch this thread to see if any of them are relevant; if they are I'll post them too. As you point out in your paragraph at the top, tracking the IP to a switch is not the whole story. If you have DHCP, the IP you may be looking at when you search may not have been the same machine when the problem arose. You'll need access to the DHCP log files to know for sure. Graham
Current thread:
- IP address conflicts / locating Kevin Shalla (Dec 15)
- <Possible follow-ups>
- Re: IP address conflicts / locating Brian K. Doré (Dec 15)
- Re: IP address conflicts / locating David Gillett (Dec 15)
- Re: IP address conflicts / locating Al Sparks (Dec 15)
- Re: IP address conflicts / locating Flagg, Martin D. (Dec 16)
- Re: IP address conflicts / locating Randy Grimshaw (Dec 16)
- Re: IP address conflicts / locating Michael Grinnell (Dec 16)
- Re: IP address conflicts / locating Christopher Misra (Dec 16)
- Re: IP address conflicts / locating William G. Thompson, Jr. (Dec 16)
- Re: IP address conflicts / locating Jason Richardson (Dec 18)
- Re: IP address conflicts / locating Graham Toal (Dec 19)
- Re: IP address conflicts / locating Donald J Westlight (Dec 19)
- Re: IP address conflicts / locating Tristan RHODES (Dec 28)
- Re: IP address conflicts / locating David LaPorte (Dec 28)