Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Finding computer by MAC address

Status
Not open for further replies.
egolds

egolds

MIS
Aug 29, 2001
105
0
0
US
One of the computers on my network must be having an issue connecting to the DHCP server because I am getting an IP spoof message from my firewall giving an IP address of 269.154.79.203 coming from the LAN.

This cannot be one of the users' computers because no one has indicated an issue connecting to network resources.

Since this computer is obviously not registering with DHCP i cannot use DHCP to look up the mac address. What other methods are available to find which computer has this mac address? Especially given that it is not on our 192.168.X.X network.

Thanks in advance.
 
Sort by date Sort by votes
Unfortunately almost all the cards we use are Cisco cards so knowing the vendor doesn't much help. any way to identify the host name with a mac address?
 
Upvote 0 Downvote
if you have access to the switch (assuming you have one), you can run a &quot;show port | include <mac>&quot;(or something like that, I forget the command right now) and filter on the mac address. this way, you can get which port the bad IP came in on. From there, if you have documentation showing what ports are wired to what receptacles, you can track down the culprit.
 
Upvote 0 Downvote
In my environnement I use nbtstat -a [netbios hostname]
Otherwise add some lines in the login scripts to dump in a central location the ipconfig of the client.



 
Upvote 0 Downvote
If you sniff for a DHCP DISCOVER packet (with ethereal for example) you should find the hostname if the client is advertising it. It's listed as OPTION 12 under the bootstrap protocol. Your mystery machine may also provide option 60 which is the vendor class identifier for the OS.
 
Upvote 0 Downvote
We do have switches. Which brings me to two questions:
1) Where would I place the sniffer? If I put it on a workstation attached to the switch it will only pick up the communications between the workstation and the switch since a switch does not broadcast to all ports on the switch(correct?).

2) How would I accomplish brontosauras's task of run a &quot;show port | include <mac>&quot;?

Thanks again
 
Upvote 0 Downvote
You should still see the DHCP packets because they are broadcast. More than likely you'll see them unless you've got a router in there somewhere or ACL's in switches, etc.
 
Upvote 0 Downvote
2.) How would I accomplish brontosauras's task of run a &quot;show port | include <mac>&quot;?

This would depend on the particular brand, model, and firmware of the switch.. But most managed switches have this &quot;feature&quot; so assuming you can access the control port of the switch by way of telnet, http, serial cable, or whatever, then you should be able to fumble your way through the command line interface or menu system of the switch and find how to display the MAC addresses.
 
Upvote 0 Downvote
I have seen those sort of messages coming from my firewall and although the IP address is spoofed the MAC address is usually on the LAN.

I am not sure if you are running into the same situation or not, but I have been able to successfully get the MAC address in the DHCP table.


 
Upvote 0 Downvote
follow btnet's follow up advice on my post, you should be able to find your way around.
I do have one point to ask/make. Are you sure that IP the firewall is spitting at you is 269.154.x.x and NOT 169.254.x.x ? Because, if it's the latter, then that's an MS APIPA address, automatically assigned to clients that are unable to find a DHCP server, and would most likely be originating from your LAN.
 
Upvote 0 Downvote
can't believe everyone missed this one:
at a command prompt, type ipconfig /all

you will get your mac address.

double check that address again. I bet it's 169.254.x.x and not the 269.154.79.203 you mentioned. If I'm right, then you are definitely not getting a dynamic address from dhcp on the client. The 169.254.x.x address is auto assigned by the client. There are several things that can cause this. I would try the following:

Assign a fixed address to the client for your subnet. If you're going through a router to get to the server, you'll need to put that in as the gateway. Can you ping the server or any other computer by thier ip address? yes will validate the network connection.
If you can't ping, then you may have a bad cable, bad nic, bad port on the hub... lots of possibilities there, but I would suspect hardware. Can you ping 127.0.0.1? that's the loopback on the nic itself. Get this resolved first.

If you're going through a router, is your router set to forward bootp packets or do you have a dhcp proxy on the subnet with the client? If other clients on that subnet are getting dynamic addresses, that will verify functionallity. Make sure you can ping the dhcp server (or dhcp proxy) from the client and that your dhcp will be forwared through routers if going through them.

You best be able to get an address now. If not, the only thing I've seen stop it is a firewall or IPSec policy requiring encrypted connections. Add ip 0.0.0.0 subnet 255.255.255.255 to your trusted zone, this is the broadcast address. I even added the loopback 127.0.0.1 and for grins 255.255.255.255.

If you're still having problems, install the network monitor driver on the server and the client and use the network monitor program on the server to capture packets (will capture packets from the client with the driver on it).
 
Upvote 0 Downvote
yes...it was 169.254.x.x (a little dyslexia on my part) but that is how i knew it is coming from a client unable to reach the DHCP server.

the odd part about it is it has to becoming from one of the workstations because all of the servers and printers have static ip addresses. yet no one has complained about not being able to access network resources.
 
Upvote 0 Downvote
Seaspray0: I like your thoughts on the transposed 169.254.

However: egolds is trying to FIND the computer. S/He is not able to be at the computer to issue ipconfig.
 
Upvote 0 Downvote
So I don't have to look it up (and if anyone knows off hand)...how frequently will a computer that auto assigns itself an IP address search for a DHCP server?
 
Upvote 0 Downvote
I believe it's every 5 minutes on the DHCP search, and yes, it's 67 for the server, 68 for the client. Is it possible that one of your machines has a second NIC installed?
 
Upvote 0 Downvote
not one that would use dynamic addressing or one that is connected to the network.

I guess what is bugging me the most is that there is a computer that is attached to the network that is set up for DHCP but cannot reach the DHCP server.

I've been sniffing for any communication from 169.264.79.203 for about 10 minutes now and have not seen anything yet. I'll let it keep running. ARGGGGGGGGGGGG!!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pomazip
  • Locked
  • Question
Windows Server 2019 mac address issue
Replies
2
Views
251
pomazip
pomazip
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
364
mangentle
mangentle
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
102
RRankin355
RRankin355
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
109
StevenFromSouth
StevenFromSouth
Leozack
  • Locked
  • Question
MDT TS move computer OU
Replies
0
Views
76
Leozack
Leozack

Part and Inventory Search

Sponsor

Back
Top