How get the IP Conflict Detection Tools

fkseow · ‎08-04-2003

Anyone please help on how to detect the IP conflict in a Local Area Network (LAN) ?

Is there any tools or utilities that can detect who is the joker out there using a predefine exclusion range of IP address that are actually meant for Local servers ?

Normally, existing PCs which are using Static IP addresses will only display the message "IP conflict" whenever there is other joker trying to use the "occupy" IP addresses...

Please help out...

TQ.

mark-obrien · ‎08-04-2003

You may have to disable the server that is properly using the stolen IP address to do this, but that server is probably not much use until the joker is caught anyway. Follow these steps:

1. Remove the "good" server from the network.

2. Clear the ARP table of your router with the "clear arp" command.

3. Ping the stolen address.

4. Find the MAC address of the "joker" by entering the "show ip arp (stolen IP address)" command in the router.

5. On your switched network, begin with the switch that is directly connected to your router and enter the command "show cam (MAC address found in step 4)". The output will indicate the port that the MAC address was found on. If this port is connected to another switch, repeat this step in that switch until you come to the port that is directly connected to the joker.

6. Follow the cable connected to that port to the guilty party.

7. Whack the joker on behalf of everyone on this board, in addition to your own punishment for him.

8. Re-connect the server that is the proper holder of the stolen IP address.

Happy hunting.

Mark

konigl · ‎08-04-2003

What Mark said is what you want to do. There are only two things I would add:

5.1 If your Cisco switch uses Cisco IOS (3500 XL series, 2950 or 3550 series), then enter "show mac-address-table address (MAC address found in step 4)".

5.2 If your Cisco switch connects to other Cisco switches and you need to track the MAC address to them, then running "show cdp neighbors" can give you the name of the next switch. "Show cdp neighbors detail" can give you the IP address of the next switch, so you can telnet to it and continue the search.

Good luck.

milan.kulik · ‎08-04-2003

It is also possible to use Arpwatch utility instead of setps 1.-4. (http://www.zone-h.org/download/file=3219/). Another advantages are an automatic email to administrator in the case of IP address conflict and a database of IP-MAC address history in your network.

Another tip for suspicious MAC address tracking: L2trace command on CatOS switches.

Regards,

Milan

JORGE RODRIGUEZ · ‎08-05-2003

In addition to show ip arp and show cam MAC-address you could also identify by using another process.

If you have a Windows NT based network including WINS you can use nbtstat from your machine. By going to your command line enter ( nbtstat -a ip-address ).

Nbtstat ?Mark) will give you other switch parameter options. If the machine using the unwanted ip-address is online it should have registered its netbios name in WINS, in this case load WINS admin and search the netbios name which will contain the NT login USER name.

Jorge Rodriguez

edmonds_robert · ‎08-05-2003

It is also very possible that you are having a software issue that is causing your DHCP server to assign the same IP address to two different clients. I use a Windows 2000 server for DHCP, and it occasionally will assign the same address to two clients, regardless of the fact that I have it set up to ping addresses twice. It may also have something to do with the LAN, since it seems to happen only to clients that connect through a 4006 switch. I haven't been able to resolve the issue, so I used the steps above to isolate the computers, and then assigned them static IP addresses via a reservation in DHCP.