Determine Source IP Address on Ports

[itisme]

I have (5) Superstack 3 (4400 SE) switches. I would like to look at all of the ports and determine what IP addresses are assigned to the devices connected to all of my ports.

Our IPS reports are showing that there is some device on our network with an IP address 169.254.246.264(source) attempting to send packets to an outside IP address 239.255.255.250. We have no 169.X.X.X network.

The concern is that maybe these are malformed packets.

Is the 3Com switch capable of reporting ip addresses in the port traffic?

 

[TimRegester]

That PC will Probably be running Windows XP. The 169.254 address is that given by windows xp when either no static IP has been given to the pc or no address has been obtained via dhcp but where there is an ethernet link for the PC.

This PC should be fairly obvious, it probably cannot see any PCs is not in AD is not participating in WINS cannot print to network printers and cannot connect to the internet.

There is no malformed address and the switch will not care that the ip address of the PC is wrong so you will see no errored packets.

My suggestion is from a pc or even better a unix or Linux server, ping the errant address and do an arp -a immediately if it responds. This will give the mac address of the pc, by looking on the switch or in network supervisor you should be able to find which port it is hanging off. Failing that it is a manual process to find it, but should only take a few seconds on each pc by checking if a pc can see a server or the internet, the errant pc will not have a route to the server or internet.

 

[itisme]

Thank you TimReg_

The device has been found! Of all things it was new Oki Color printer with an ethernet print server that has not been configured yet. After disconnecting it from the switch, the IPS stopped reporting it.

 

[TimRegester]

Cheers I just learnt something, OKI are just as mad as Microsoft, I have never seen the logic of allocating a random IP address. If none is configured or obtained via dhcp I cannot think of any logical reason to do it, it cannot connect to anything so what is the point surely a better solution would be to send a message saying "IP service started but no ip address set, is this right?"

 

[eaglefan2000]

A good reason to recieve a dhcp lease for a new printer is to be able to print out a config from the printer then browse the printer's ip address using IE to make changes to the config. This is fast and easy.

Joseph Kunder
Technical Systems Specialist

 

[TimRegester]

dhcp leases I can understand, but allocating an IP address for an IP subnet not actually in use anywhere on your network is just plain annoying.

I found out why it is done. It is part of the plug and play networking concept from murkysoft. If you cannot be asked or do not understand IP addressing it is a way of connecting a number of XP PCs together following the networking wizard, unless you determine the ip subnet range it will use the 169.354.x.x/24 subnet and allocate each PC an address from that subnet, I would guess OKI are having a love affair with Microsoft and joined in this plug and pray ideal. It is still a dogs dinner after all how many people would have two or more PCs in a network with no internet connection (unless you uilise internet connection sharing which is quite frankly awful, can you imagine the hideous mess that this could cause, an xp PC acting as both router, firewall, dhcp server and being used as a PC.

Fine if you are a home user, but in business I would rather see the PC not have an IP address than given some daft useless one by the OS, I have seen this happen on corporate networks and cause less experienced IT guys masses of confusion. It should be turned off unless you have gone through the networking wizard.

Rant over.