Sporadic IP tracing

I have a device that keeps poping up with a static IP address on my network.

It only ever seems to be one for 15 seconds or so at a time and I have no idea where it is (it could be on any one of about 80 switches). It may be comes on once or twice a week.

And by the time i notice it is on its two late and it will have turned of and I miss my chance to trace it.

Any ideas how to track it down to a location? If I caught it when it was on I would trace the MAC back, but so far never been at my desk at the time!!

Aaron

Find more posts tagged with

Comments

gorebrush

Do any of your Cisco switches pick it up?

Perhaps you could syslog it?

chmorin

I'm new to ip sla, but still find new possible uses for it. I think it may be possible to configure one to ping that host if it uses the same IP address each time. Once it gets pinged, it sends you an email. Then you know to grab its mac and hunt it down real fast.

If it changes its IP address each time then IDK, you may just have to wait to get lucky and watch for its MAC.

EDIT:

This may help with IP SLA: http://thwack.com/forums/p/23064/94891.aspx

davidspirovalentine

You could use a tool like Look@LAN and just run it in the background to find the IP that comes up the goes down it will alert you with a HOST UP and HOST DOWN message with an alarm and bells and everything.

Once you find it, grab the MAC and just traceroute to the the MAC address... you are using Cisco switches right?

Regards,
David

DevilWAH

Oh I can get it to alert me ok, it just I can't sit at my desk 24/, and I can't look at my emails all the time.

I was looking if there is a way to do the trace its self, so I don't have to be there.

I am thinking maybe ip sla would be helpful?

Although I think maybe putting a packet trace on the network in the first instance would help, at least that can pull of the MAC address from the frames.

I can't wait till I have 802.1x fully up and running as then finding something liek this will be easy!

Paul Boz

davidspirovalentine wrote: »

You could use a tool like Look@LAN and just run it in the background to find the IP that comes up the goes down it will alert you with a HOST UP and HOST DOWN message with an alarm and bells and everything.

Once you find it, grab the MAC and just traceroute to the the MAC address... you are using Cisco switches right?

Regards,
David

Look@Lan is the bomb. I use that tool for host discovery / enumeration all the time. The only problem which would prevent you from using it in this application is the fact that it crashes constantly and its difficult to monitor a large number of concurrent subnets at one time.

ColbyG

You could check out NetDisco:

n e t d i s c o

Netdisco is an Open Source web-based network management tool first released publically in 2003. The target users are large corporate and university networks administrators. Data is collected into a Postgres database using SNMP and presented with a clean web interface using Mason.

Configuration information and connection data for network devices are retrieved via SNMP. Data is stored using a SQL database for scalability and speed. Layer-2 topology protocols such as CDP and LLDP provide automatic discovery of the network topology. Here are some of the favorite uses for this tool:

* Locate a machine on the network by MAC or IP and show the switch port it lives at.
* Turn Off a switch port while leaving an audit trail. Admins log why a port was shut down.
* Inventory your network hardware by model, vendor, switch-card, firmware and operating system.
* Report on IP address and switch port usage: historical and current.
* Pretty pictures of your network.

Netdisco gets all its data, including topology information, with SNMP polls and DNS queries. It does not use CLI access and has no need for privilege passwords.

It should be able to cache IPs/MACs and what ports they existed on for a decent amount of time. I haven't used it much so I won't make any promises, lol.

EliZ_

This is my take on your problem. I’m sure others have other/better solutions, but this is how I would solve your dilemma.

It is 2 separate problems.

First one:
In a layer2 environment you need to translate that IP to MAC, your problem is that the device can be plugged in when you are not around

If I was to solve this problem, I would set that IP to an unused windows box, and when your “intruder” starts up you’ll get a message in windows sating a duplicate IP found, if you don’t see the conflicting MAC in that message box, you can find a 4199 event log entry stating all the information you need. I also believe the same info will be available to you if you use a Cisco device instead of a Windows box.

Second one:
Find what port and what switch the “intruder” is plugged into.
Use some type of SNMP monitoring software to read the CAM-table from your switches, and report back to you when the MAC is in use.
On my network(Corporate) I’m using a custom built software by my own design, so reporting stuff like that is easy for me to implement, but I’m sure that the same function will be available in prebuilt systems like Netdisco mentioned above.

chmorin

You could have some l33t combonation of SNMP traps running a TCL script that could maybe hunt down the mac address for you. I'm not sure how I would approach that though.

peanutnoggin

Devilwah,

What type of network management system are you running?

-Peanut

DevilWAH

mmm depends

I use kwiw cat tools for config managment.

Observer for monitering traffic flows

and mutiny for over view

+ others

tiersten

How are you noticing that the device has appeared on your network anyway?

EliZ_

How did this turn out, did you find it?

The reason im asking is that im in the process of turning my very customized own tools to something more generic that would be useful for more that myself.

The version that I have now is only SNMPv1, but hopefully I’ll be able to integrate v2C and v3 as well.

At the moment it uses a seed device and "crawls" to neigbouring devices reading CDP information through SNMP.

Here is a screenshot(Don't worry, IP and community is fake)

I was thinking of adding a monitor to solve your type of problem.

Im in the process of adding my visio output code into place, here is a link to how it looks now(Naturally cleaned of all essential info):

Let me know if you need anything like this.