What is the easist way to physically find a PC on your network. 1

[ilMac]

I found a PC that is scanning my IP addresses from within the network. I suspect a trojan of some sort. How do I find where that PC is on the network?

 

[rn4it]

If you're on an MS network, then go to the command prompt an use 'nbtstat -a <ip address> this will give you the name of the PC/Server. If the device is not MS or has been locked down this cmd may not work.
or
If you have and have access to switches/routers on your network there should be a command that will look at the arp tables of the device. You find out the MAC address of the IP, and hop from switch/router to switch/router until you come to the port it's originating from. From that port you trace out the cabling.

good luck

 

[chiph]

Physically, as in the real world?

You need to take rn4it's second suggestion and locate the port on the hub/switch they're cabled to, and trace the wire back.

Chip H.


____________________________________________________________________
Donate to Katrina relief:

http://s1.amazon.com/paypage/PELYGQVJ8Q7IB/103-6821258-5919825

If you want to get the best response to a question, please read FAQ222-2244 first

 

[Spirit]

Go to a PC that is being scanned turn on netmon and wait until you're scanned and you'll see the IP address that the scan came from.

Find out which PC has the lease for that address then bad a bing you're done.

Iain

 

[ilMac]

What if i cant find it on any of the switches that are managable? Is there a way to tracert it? I have the MAC address.

 

[PalmTest]

Hi Imac,

What kind of switches do you use?

Most switches have a console port so you can connect to it using the serial port of your Laptop.
Then you can issue the MAC address lookup command on that switch, find out the port it is attached to and trace the wire back.

Log in to your Router and search the ARP table to find the MAC address and find the corresponding IP address it is currently using.

 

[m4ilm4n]

If it's a Cisco, the command should be show ip arp, but it's been my experience that a switch with a VLAN configuration will only show the VLAN that a MAC address is in - it won't show the physical port it's connected to - unless anyone knows something different, in which case please fill me in!

 

[PalmTest]

When searching in the core switch (6500 with CatOS) I use the command:
Show cam 00-00-12-34-56-78
Then I check which Distribution switch it goes to.
Show cdp neighbors

When searching in my Distribution and/or Access switches I use the command:
show mac-addresses-table | include 5678
When a port is returned I check if it is an up or downlink with the command:
show cdp neighbors
I then check the status with the command:
show interface status

 

[ilMac]

I do know what the MAC address is, but unfortunatly I am not finding it on any of my Cisco switches so I think it is connected to my 3Com switches some of which do not have a console port so are unmanagable.

 

[PalmTest]

The 3Com have no console port? Not even a DB9 serial connector?

If you are lucky the 3Com switches are SNMP managable.
If so I suggest you use Cammer, which is a Perl script from our friend Tobias Oetiker (MRTG).

http://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub/contrib/

You can schedule the script to run as often as you seem fit.
When the MAC address becomes active again, you can catch it with cammer.
Read the cammer.readme.txt, and good luck.