1

Ok this is a stupid question i know, but bear with me.

I started a new job and the networking is terrible, there are a bunch of dumb switches on top of dumb switches.

We are running a 10. network but there is something on my network that has a 192 network that keeps sending out alot of who has arp requests as well as other igmp packets. wireshark gives me the mac address but thats it. is there a way I can fake an answer to the who has request so that I can try to find this machine?

chicks
  • 3,793
  • 10
  • 27
  • 36
Kenneth Knight
  • 11
  • 1
  • 3
  • 1
    You can at least get the equipment vendor from the MAC address: https://macvendors.com/ which may help narrow it down. – Mark Wagner Jun 06 '17 at 20:47

3 Answers3

3

You can configure a single machine with a static IP address matching the ARP request and a proper netmask. The netmask has to be short enough to cover both the requested IP and the IP of the machine sending the requests. Most likely a netmask of 255.255.255.0 or 255.255.0.0 will work.

Once you have configured that static IP address on a machine it will start responding to the ARP requests. That should make the rate of the ARP requests drop. This machine will now be able to exchange IP packets with the rogue machine, and you can use other tools like for example nmap to identify what it may be running.

kasperd
  • 30,455
  • 17
  • 76
  • 124
0

You can use arping -A to send ARP REPLY packets

AlexD
  • 8,747
  • 2
  • 29
  • 38
0

Now when you say "dumb switches", are we talking home-quality equipment that you can't manage at all? If they have any remote management at all they will usually tell you what port they see a given MAC address on.

Failing in that, go and buy an old Cisco 2950/3550 switch for less than $100 and run all of your dumb switches off of that which will allow you to find the misbehaving device pretty quickly.

Somewhat dangerous but workable: download a packet generator from https://wiki.wireshark.org/Tools#Traffic_generators and hammer the MAC address. The switch handling the MAC should light up its port like a spot light. All of the switch interconnect ports will light up as well so identify those before you decide where the device is plugged in.

Last ditch method - plug your WireShark into one of the switches. Turn other switches off until you no longer see the MAC. When you think you know what switch the device is in plug your WireShark into that switch and start disconnecting patch cables until you've eliminated the other MACs.

nutcase
  • 80
  • 7