Showing results for 
Search instead for 
Did you mean: 

locate a host sending excess traffic - possible virus

I need to find a host that is sending excess traffic, but I don't know what switch or switchport it is attached to and little documentation is available to me. All I know is the IP address of the workstation.

What would be the quickest and easiest way to determine what switch and what port the offending machine is attached to?

Thank you for any advice.

Mark Turpin

If you have a flat network, look in your arp table (show arp) and find the MAC address of the device. Then go to your switch and use the 'show mac' and specify the MAC address you just found to see which port it is on, or learned from. Then, keep tracing it back switch by switch.

If you have a segmented network with different IP blocks spread throughout the office, then localize the IP address to whatever device it is assigned to, and use the above method to trace it back.

-- -Mark Turpin
Georg Pauwen
VIP Master

Hello Charles,

if you have a (Fast)Ethernet, serial, or other Layer 3 interface over which the traffic is being sent, you can use IP Accounting (turned on with the interface command ´ip accounting´), and then check the IP accounting database with the exec command ´show ip accounting´, the output will show you the IP source and destination address pairs and the packets sent.

Certain Cisco IOS switches have a command called ´show top´, which does exactly that, it shows you the top users on the switch, you might want to try and see if that command is available on your switch(es)...




Ping the machine and then do show arp. once you have the mac address look up the first 3 octets here:

That will gave you the manaufacturer of the NIC. If you are lucky this might be all you need to find the machine (If the NIC is made by Compaq and you only have 1 Compaq machine then you have your answer!). Otherwise you will need to do something like show mac-address-table on a switch to find out which port it is on, if that port goes to another switch, go there and repeat.

Another option is just put up an ACL denying the Ip and see if anyone complains - keep in mind the use may just change IPs (or release-renew), so t his may not work....