I recently had a case where an end user thought it would be a good idea to connect their home router into the network to overcome “a lack of ports in their office”. Need the less say this caused havoc for the other users on that site as it started issuing DHCP addresses on another subnet!
I had to quickly track out where this device was on the network using a combination freeware tool called ‘Rogue DHCP Server Detection’ and LLDP commands on HP ProCurve switches. Note the Rogue DHCP Server Detection tool is subnet based to make sure you are able to use it on the same subnet as the rogue device.
If you already know it’s mac-address then feel free to skip ahead but as I didn’t and only knew it’s IP I had to get it’s mac-address.
I knew there was a Debian Linux box at site so I SSH’ed onto that, added another IP to the interface to bring it onto the same subnet as the rogue device, then try and ping the device which luckily responded! Now to hunt in the arp tables for it’s mac-address BINGO I now had it’s mac-address. The commands I used are below.
1. root@WiFiSquid:~# ip addr add dev eth0 192.168.1.254/24 2. root@WiFiSquid:~# ping -i eth0 192.168.1.254 4. root@WiFiSquid:~# arp -a | grep 192.168.1.254 ? (192.168.1.254) at a4:b1:e9:38:a7:4e [ether] on eth0
5. Remember to remove the temporary IP before disconnecting!!
ip addr del dev eth0 192.168.1.254/24
Now these steps will vary depending on your environment but I had roughly 12 switches to hunt through to track it down so I have condensed it for this article.
Connect to the first switch you wish to victimise
HP-Switch-1# show mac-address a4b1e9-38a74e Status and Counters - Address Table - a4b1e9-38a74e Port ------- 50
It’s on an uplink port (or on another switch somewhere else on the network)
What is on port 50?
HP-Switch-1# show lldp info remote-device LLDP Remote Devices Information LocalPort | ChassisId PortId PortDescr SysName --------- + ------------------------- ------ --------- ---------------------- 50 | 58 20 b1 c2 2b 80 6 6 HP-Switch-2
Hop onto the switch in the ‘SysName’ IP can be found by running show lldp info remote all this doesn’t show up on tab completion! Just rinse and repeat what we did above until you find it.
HP-Switch-1# show lldp info remote all
LLDP Remote Device Information Detail
Local Port : 50
ChassisType : mac-address
ChassisId : 58 20 b1 c2 2b 80
PortType : local
PortId : 6
SysName : HP-Switch-2
System Descr : HP J9584A 3800-24SFP-2SFP+ Switch, revision KA.15.15.0012...
PortDescr : 6
Pvid : 1
System Capabilities Supported : bridge, router
System Capabilities Enabled : bridge
Remote Management Address
Type : ipv4
Address : 192.168.9.10
Poe Plus Information Detail
Poe Device Type : Type2 PSE
Power Source : Unknown
Power Priority : Unknown
Requested Power Value : 0 Watts
Actual Power Value : 0 Watts
HP-Switch-2# show mac-address a4b1e9-38a74e Status and Counters - Address Table - a4b1e9-38a74e Port ------- 18
From the above we can see our device is on port 18 of switch 2. I then shut the port down to stop it from issuing anymore IPs.
HP-Switch-2# conf t HP-Switch-2(config)# interface 18 HP-Switch-2(eth-18)# disable
Of course this will differ but the principle will be the same.
Be the first to comment on "Tracing Networks and Locating Devices by their Mac-Address"