Solved: Re: identify a pc on network

jopetik09 · ‎02-11-2011

Hi,

I have complaint that one pc: 10.20.2.154 is generating more virus stroms and doing broadcast. So i need to findout that pc where i network to do further checks.

Can someone help me on this.

Jopeti.

Latchum Naidu · ‎02-11-2011

Hi Jopeti,

You can easily identify th pc where exactly connected with the help of IP address luckly you have that.

Please log into your core switch or any edge router which is managing by you...
give below command in exe mode.

#sh ip arp 10.20.2.154

That will give you the mac address information say bbbb.bbbb.bbbb
Copy that mac address and give command like below

#sh mac-a address bbbb.bbbb.bbbb

That will provide you the learning port informaiton say like Gi4/35

Now you have to trace what is connected to that port
If some L2 switch is connected just assume...

Here you need to login to that L2 switch and give the below command

#sh mac-a address bbbb.bbbb.bbbb

That will give you the port number where the end user pc (10.20.2.154) connected, so that you can trace the port and get to know which PC is connected.

Once you identify the PC, please check...

What applications he have.
What type of activity he is doing over internet.
Which application is trying to do broadcast.
And run complete virus scan inorder to curify the entire PC.

Hope this will help you.

Please rate the helpfull posts.

Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎02-11-2011

Hi Jopeti,

No problem please login into that switch, I think your HP switch you need to connect though "telnet"

If you are using putty please give that IP in host name field and select "Telnet" instead default SSH
Once you logged in it will give you menu options select "Command Line (CLI) option.

Now you get exe mode and give the below command

#sh mac-address 00110a-fc9a9b

you will get the details like below...

# sh mac-address 00110a-fc9a9b

Status and Counters - Address Table - 00110a-fc9a9b

MAC Address : 00110a-fc9a9b
Located on Port : 25

See that Located on port: 25, so your bad PC is connected physically to that port... Go a head and remove that pc from network and do all provided check in my previous post.

Please rate the all helpfull posts.

Regards,
Naidu.

View solution in original post

andrew.prince · ‎02-11-2011

On your main router - @ the cli input "show arp | inc 10.20.2.154" this will return the mac address. Then go around and log into your switches and do

"show mac-address | inc xxxx.xxxx.xxxx"

This will identify the actual port - then close it and go visit the user.

HTH>

Latchum Naidu · ‎02-11-2011

Hi Jopeti,

You can easily identify th pc where exactly connected with the help of IP address luckly you have that.

Please log into your core switch or any edge router which is managing by you...
give below command in exe mode.

#sh ip arp 10.20.2.154

That will give you the mac address information say bbbb.bbbb.bbbb
Copy that mac address and give command like below

#sh mac-a address bbbb.bbbb.bbbb

That will provide you the learning port informaiton say like Gi4/35

Now you have to trace what is connected to that port
If some L2 switch is connected just assume...

Here you need to login to that L2 switch and give the below command

#sh mac-a address bbbb.bbbb.bbbb

That will give you the port number where the end user pc (10.20.2.154) connected, so that you can trace the port and get to know which PC is connected.

Once you identify the PC, please check...

What applications he have.
What type of activity he is doing over internet.
Which application is trying to do broadcast.
And run complete virus scan inorder to curify the entire PC.

Hope this will help you.

Please rate the helpfull posts.

Regards,
Naidu.

jopetik09 · ‎02-11-2011

Hi Guru's,

Thanks for you response and step by step explainations.

Unfortunately I have HP switches which i even dont know how to manage.
Do you have any suggestions. It would be great help to me.

Jopeti,

Latchum Naidu · ‎02-11-2011

Hi Jopeti,

No problem please login into that switch, I think your HP switch you need to connect though "telnet"

If you are using putty please give that IP in host name field and select "Telnet" instead default SSH
Once you logged in it will give you menu options select "Command Line (CLI) option.

Now you get exe mode and give the below command

#sh mac-address 00110a-fc9a9b

you will get the details like below...

# sh mac-address 00110a-fc9a9b

Status and Counters - Address Table - 00110a-fc9a9b

MAC Address : 00110a-fc9a9b
Located on Port : 25

See that Located on port: 25, so your bad PC is connected physically to that port... Go a head and remove that pc from network and do all provided check in my previous post.

Please rate the all helpfull posts.

Regards,
Naidu.

jopetik09 · ‎02-11-2011

Hi,

That worked, I got the pc disconnected from network.

And Thanks Naidu for your clear explainations and exmples working perfectly .

Jopeti.

leesutcliffe · ‎02-11-2011

try this on the PC's gateway:

sh arp

this will list the arp table and the interface which the PC is patched into