Educause Security Discussion mailing list archives

Re: IP address conflicts / locating

From: Graham Toal <gtoal () UTPA EDU>
Date: Mon, 19 Dec 2005 09:02:04 -0600

L2-L3 data does not answer the question of where on the
network topology those machines were located when they used
the IP. At present, NOG staff and Unit Computing Specialists
(UCS) can employ a manual, time-consuming process to find the
current location of a client machine. The process requires
that the staff member have direct access to the switches in
the Distribution and Access tiers and also have some
knowledge about the topology of the network.


I had a crack at doing something similar over the last couple
of years at UTPA.  Although I'm no longer with the Infosec
department (i.e. no longer maintaining the tools) I may be able
to offer some help.  In particular I hacked up a web based
utility which explores all the switches in your network looking
for a particular machine.  Generally you will find several
switches which reference the desired MAC but only one of them
will have that MAC and *only* that MAC on a specific port, which
usually means that is the desired port rather than an uplink port.

You'll need a list of all the IP addresses of your managed
switches, and it helps a *lot* if every time your networking
people locate a physical port, they tag the port in the switch
with the location, so that the port<->location database is
implicit in the switch configuration, rather than being held
separately in some external database that rapidly gets out
of date.

Here's the source of the web-based tracing utility:

  http://infos.panam.edu/src/nettools/ip.c

It needs to run on a unix with snmpwalk available.  It's
not totally automated yet but you may still find it useful.
(I've stripped out UTPA's local knowlege from the source
so you'll need to modify it yourselves to add your switch &
router addresses etc)

If your switches don't use community 'public' you'll either
have to embed the actual community in the code (not recommended)
or add an extra field to the web form to allow the community
to be entered (and run it under https).

I have a few other odds and ends and I'll watch this thread to
see if any of them are relevant; if they are I'll post them too.

As you point out in your paragraph at the top, tracking the
IP to a switch is not the whole story.  If you have DHCP, the
IP you may be looking at when you search may not have been the
same machine when the problem arose.  You'll need access to
the DHCP log files to know for sure.


Graham

Current thread:

IP address conflicts / locating Kevin Shalla (Dec 15)
- <Possible follow-ups>
- Re: IP address conflicts / locating Brian K. Doré (Dec 15)
- Re: IP address conflicts / locating David Gillett (Dec 15)
- Re: IP address conflicts / locating Al Sparks (Dec 15)
- Re: IP address conflicts / locating Flagg, Martin D. (Dec 16)
- Re: IP address conflicts / locating Randy Grimshaw (Dec 16)
- Re: IP address conflicts / locating Michael Grinnell (Dec 16)
- Re: IP address conflicts / locating Christopher Misra (Dec 16)
- Re: IP address conflicts / locating William G. Thompson, Jr. (Dec 16)
- Re: IP address conflicts / locating Jason Richardson (Dec 18)
- Re: IP address conflicts / locating Graham Toal (Dec 19)
- Re: IP address conflicts / locating Donald J Westlight (Dec 19)
- Re: IP address conflicts / locating Tristan RHODES (Dec 28)
- Re: IP address conflicts / locating David LaPorte (Dec 28)