Resolving IP Address through Mac Address

[cixelsydmai]

Hi everyone,

Our network recently got infected by the Nachi worm, and in an effort to erradicate the worm and all the excess traffic casued by it, we put in an ACL that black-holes all ICMP traffic.
We are also running a Syslog server that keeps track of the IP address and the MAc addressed of the machine that generate ICMP traffic that then gets black-holed. However, due to the DHCP lease expiration time on our network, we have been unable to track the IP addresses of some of the computers that are generating the traffic, because by the time we look at the sys logs, the suspected infected machines no longer have those IP addresses. (nbtstat -A against those ip addresses reveals they are now a different machine).
Is there a way to find out the IP address based on the Mac addresses that are recorded in the syslog?

I am using Windows XP Professional and I tried using arp -s, [ip address] [mac address] but I must be using it wrong, as I am unable to ping the IP address that I associate with the Mac address in the arp -s command.

Any help is greatly appreciated,

Sven

 

[jpm121]

Sven, you sort of contradicted yourself there, at least the way I read it -- you've blocked ICMP (ping) traffic with an ACL, but then you can't ping the IP address for the MAC in question.

How long are these DHCP leases, anyhow????

 

[cixelsydmai]

In response to your question jpm121, you can still ping in the same subnets, or if you ping across subnets, you will get an initial reply from the host you are pinging, however, you will not get an actual ping times. I believe our DHCP leases were 24 hours, however, some suspected infected machines do not have the same IP address the day we go over the syslog.
Now we are stuck trying to track down computers whose IP addresses are no longer the same ones as the syslog shows, and I figured if you could somehow get the IP address of a machine through the recorded Mac address from the syslog, we can most likely figure out where the machines are, due to the naming convention we use (machines are named by department name and serial number, and then an 'nbtstat -A' would reveal the name of the computer, if it was up and running of course)

Sorry if I didn't explain it very well. Thanks again in advance,

Sven

 

[bcastner]

I think implicit in jpm121's advice was to extend the default DHCP lease time, at least temporarily, so that you can find the guilty parties while they still resolve to real machines.

 

[pansophic]

Or you can check the syslogs during the day, maybe 1st thing, lunch and just before you leave? That would certainly be in your lease time frame.

But can't you just turn on logging for DHCP leases? At least temporarily. Then you could just look it up later, at your convenience.


pansophic

 

[Ru55ell]

What kind of network equipment do you have? We have cisco switches and routers. I our core router we issue a show arp which will list IP and HW addresses. Then bounce the hw addresses off the MAC tables (show mac) in the switches. Chase the wire of that port and there you are.

 

[ricpinto]

Ok check this thread950-668539 and insert it to your scheduler for what time you gonna need the result of nbtstat -a.