Re: Identifying Intrusions?

["Lord Bane" <lordl3ane () gmail com>]

Donald,

The easiest method to track down a system that is masquerading it's
source information (MAC/IP/etc) is to have managed infrastructure.
Peel your infrastructure like an onion, searching for the source port
of the traffic.

On the other hand, if you don't have managed switches; you may be
forced into segregating your network in to smaller and smaller
components.  Analize both segments to determine which side the traffic
is still visible (using a sniffer), and then separate it again, and so
on, until you find the switch that has the traffic.  Then it's just
finding which host on that switch is the culprit.

Cheers!

Eric