It's very difficult to know where exactly in your LAN a user that is
stealing your IP really is (you can of course, ping the IP and
unplug network jacks one by one until the ping stops, then you've
found your PC, this method works on hubs as well as switches). You can
easily find his ARP information if you are on the local network by pinging
the "stolen" address from another IP address on the network and waiting
for his MAC address to show up in your ARP table (the "arp" command in
Linux dumps the kernel's ARP table). However, the MAC dosen't really tell
you anything about the computer, except the manufacturer of the NIC.
To better get an idea of who is stealing your IP you can try the
"queso" package available from Freshmeat, which will normally tell you
what operating system the remote host is running. However, in order to
run queso you normally need to have an open port on that machine, so
first employ the friendly "nmap IPADDRESS" command to show you a port you
can check.
If the box is a Windows machine (normally port 139 is available for
scanning w/ queso) you can then use the trusty nmblookup command to check
for the system name of the computer (nmblookup -A IPADDRESS). If you
happen to be on a windows network and know a username/password that can
browse the network, you can always employ the "smbclient" command
(smbclient -L (IPADDRESS|STATION) -U USERNAME) to browse the list of
available shares, which also has the handy feature of telling you what
domain the machine is in as well as the comment associated w/ the
workstation. It's important to note that on my network, Win98 only lists
shares when called via the workstation name (-L gashes -U gashalot) and
NOT the IP. However, Linux boxes running Samba can be accessed via their
IP (-L 192.128.1.1 -U gashalot).
Your other option is to go to your handy network administrator (if you
have one) and ask him to look in the switches for your IP address. This
is the quickest way to track down the user's location (you have to have
switches though, not hubs), since switches keep tables of what MAC address
is on each port, and if everyone is directly connected to the switch you
can pinpoint exactly what workstation is connected to where. (`show cam
dynamic` on Catalyst 5000 series switches does this magic)
-Robert
OUTPUT from above mentioned commands
----- arp -----
gashalot:/home/gashalot# arp
Address HWtype HWaddress Flags Mask Iface
home-internal.gashalot. ether 00:A0:CC:28:9C:7A C eth0
family.home.gashalot.co ether 00:A0:CC:28:8A:1B C eth0
---------------
----- queso 192.168.1.1:80 -----
gashalot:/home/gashalot# queso 192.168.1.1:80
192.168.1.1:80 * Linux 2.1.xx (NOTE: This is really 2.2.13)
-------------------------------
----- nmblookup -A 192.168.1.11 (Win9x Reply) ------
gashalot:/home/gashalot# nmblookup -A 192.168.1.11
Looking up status of 192.168.1.11
received 5 names
GASHES - M
GASH - M
GASHES - M
GASHES - M
GASH - M
num_good_sends=0 num_good_receives=0
----------------------------------------------------
----- smbclient -L gashes -U gashalot (Win9x SMB query) -----
gashalot:/home/gashalot# smbclient -L gashes -U gashalot
added interface ip=192.168.1.10 bcast=192.168.1.255 nmask=255.255.255.0
Got a positive name query response from 192.168.1.11 ( 192.168.1.11 )
Password:
Sharename Type Comment
--------- ---- -------
C Disk
D Disk
PRINTER$ Disk
HP_693C Printer
IPC$ IPC Remote Inter Process Communication
Server Comment
--------- -------
Workgroup Master
--------- -------
----------------------------------------------------------
----------- smbclient -L 192.168.1.1 -U gashalot (Samba on Linux) ------
gashalot:/home/gashalot# smbclient -L 192.168.1.1 -U gashalot
added interface ip=192.168.1.10 bcast=192.168.1.255 nmask=255.255.255.0
Password:
Domain=[GASH] OS=[Unix] Server=[Samba 2.0.6]
Sharename Type Comment
--------- ---- -------
hpdj540 Printer HP Deskjet 540
public Disk Public Files Share
IPC$ IPC IPC Service (home server (Samba 2.0.6))
gashalot Disk Home Directories
Server Comment
--------- -------
GASHES GASHES
SERVER home server (Samba 2.0.6)
Workgroup Master
--------- -------
GASH SERVER
--------------------------------------------------------------------
On Tue, 18 Jan 2000, Robert Hoffman wrote:
> God that sounds like a pain. You might be able to get some info on the offending machine by doing some of the following:
>
> It sounds like the easiest way is to shutdown your machine and use another one to find out who is using your ip address. Try the Windows command nbtstat -A . If it's a Windows machine, you will get the netbios name of the computer and the name of whatever user is logged in. If they're registered with DNS, you could try nslookup to get their computername.
>
> You could also try scanning for the mac address in any WINS and DHCP servers you have on your network to get the computername.
>
> You might also run a traceroute to at least narrow down his location. Other than that, I'm out of ideas.
>
> Good luck,
>
> -Robert Hoffman
>
> ---------- Original Message ----------------------------------
> From: "Darius Olteanu" ">darius@traderom.ro>
> Date: Mon, 17 Jan 2000 13:09:52 +0200
>
> >Hello!
>
> I have a IP addreess conflict with a computer which mac address is 08:00
> etc....and I don't know to detect it...
> Can you tell me how can I find a computer in a LAN, knowing its Mac
> address?
>
> Thanks!
>
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.
>
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.
>
--
.----------------- PGP Key: `finger ">gashalot@gashalot.com` -----------------.
| Robert Gash | Work - ">gashalot@fasturl.net |
| Senior Systems Administrator | Personal - ">gashalot@gashalot.com |
| VenerNet Inc -- www.fasturl.net | http://www.gashalot.com |
`---- PGP Key Fprint: E6F3 CACA 9245 786B 7734 2853 D2C7 31D7 80FE 3B51 ----'
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.