SUMMARY: conflicting IP and ARP

From: Sugan Moodley (suganm@is.co.za)
Date: Wed Jul 19 2000 - 09:12:41 CDT


Thank you to the following helpful and knowledge people:

Palmieri, Matt
Mike Salehi
Arthur Darren Dunham
James Ford
Jim.R.Jones
"Hummers, Rick (Frederick)"
Lusty Wench <lusty@lusty.org>
Harvey Wamboldt
Richard Bond
"Martin Carpenter"
Carlo Musante
"Biondi, Michael"
Paul Beltrani
Michael Sullivan
Brett Anthony Holman
Tim Pointing <
Safuan Mamat
Greg Mushen
Darryl C Price
Geoffrey Press
Hendrik Visage
Moti Levy
"Jason K. Schechner"

Basically most the replies suggested I use ARPWATCH (urls below)
You can also pick up the arp cache of that local router/switch as well.
Included below in this email are shell scripts as well to ping and update the
server's arp cache.

 
My original question was:

On our lan we have a malicious user using an IP address at random just to
conflict another server/workstation. What program can I use to figure out their IP address
(when they revert to their correct one) if I have the MAC address of
the offending card.

From: "Palmieri, Matt" <Matt.Palmieri@cmsis.com>
check out arpwatch.

From: Mike Salehi

try arp -a and grep for the MAC. Routers put their own MAC so it has to be
on the same LAN.

Mike

From: Arthur Darren Dunham <add@netcom.com>
 
Assuming you're not in a switched environment, you can do...
snoop <MACADDRESS>

That will record all packets sent to or from that mac address, including
the IP in use at that time.

If you're in a switched environment, that may not work well, because you
may not see all the traffic.

It would work if you could somehow ping all the machines.

Good Luck!

From: James Ford <jford@tusc.net>

Telnet into the router that subnet is on. If it's a cisco router you
should be able to issue a "show arp" and see all assigned IP addresses and
MAC addresses.

Put a read-only community variable on your router, use "snmpdump" with the
correct variable string to dump the arp table and record as necessary.

-- James

From: Jim.R.Jones@Cummins.com

Sugan,

This is not going to be to much help but I figure I will tell you my
experience.

What I had to do for PCs or NT workstations is to go around and look at
each mac address until I discovered the offending person and then I
explained to him and his manager the facts of life. But if it is a unix
box you can telnet to it and discover things fast and then talk to the
offending person and manager. But you have to telnet to the box when
he/she is using the dup ip address. If you come up with a better solution
please let me know I would like to have a better solution for this problem
myself.

jim jones

From: "Hummers, Rick (Frederick)" <hummers@enterasys.com>

A simple script to ping each node in turn then grep for the offending MAC in
your arp cache would work. Warning, it takes a long time to time out on
unused addresses, so don't put in any more numbers in the 'for' statement
than necessary. Also, once the node with the offending MAC gets in your
arp cache that each loop of the 'for' will display the same information.

something like (untested script follows):

#!/bin/sh
BADGUY=08:00:20:AA:BB:CC
ASPACE=<first three octets of your address space without trailing dot>

for X in 3 4 5 ...254
do
    /usr/sbin/ping $ASPACE.$X 2 > /dev/null
    if /usr/sbin/arp -a | grep $BADGUY > /dev/null
        then
        echo offending address is $ASPACE.$X
        /usr/sbin/arp -a | grep $BADGUY
        else
        echo not found
    fi
done

\s\Rick

From: Lusty Wench <lusty@lusty.org>

If everyone is plugging into a switch, you may be able to find out from
the switch which port the mac address in question is on.

Lusty

From: Harvey Wamboldt <harvey@iotek.ns.ca>
Are you pinging the broadcast address? If the "offender" is online,
and hasn't disabled ICMP ECHO then that should catch the offender.
Then run "snoop icmp" (as root in another xterm) to catch his reply
and "snoop -v icmp" to get his MAC address.

Rgds,

-H-

From: Richard Bond <rbond@mbt.washington.edu>

use nmap to map the entire network several times-

One when no one is complaining -

use diff to see the changes

From: "Martin Carpenter" <martincarpenter@hotmail.com>

I'm told that there are routers that'll statically bind IPs to MAC addresses
and bounce non-matching packets. Doesn't solve your immediate problem, will
require some serious configuration with >200 machines, will presumably
struggle with DHCP, but might be worth looking at for future use. Sorry I
don't have any vendors URLs, but could potentially make some polite
enquiries of one of my customers if you're interested.

Your dirty hack is the only other way that I know of. Good luck.

Martin.

From: Carlo Musante <carlo@ucomm.wayne.edu>

Sugan,

Here is a script I which uses the hosts file as a source for IP's.

Run from a c-shell (/bin/csh)

dor% touch x.o

dor% foreach i ( ` awk '{print $1}' /etc/hosts ` )
?
? ping $i >> x.o
? arp $i >> x.o
? end
dor%

Cat x.o and you will have a list IP's and Mac addresses. The ping updates
the arp cache. Redirecting the ping output to x.o is optional.

Carlo

From: "Biondi, Michael" <mbiondi@dlj.com>

You should have a full list of mac addresses -> ip addresses in your
router's arp cache. Have you tried looking here?

I'm not sure how this helps you though - even if you know that offender's
mac address, how are you going to figure out who's is using that machine?
If they do revert to another address that's one thing, but they are probably
just dropping off the net (when the ip they pick doesn't work) and trying
another one. Either way, the router is your best source.

The best (though not necessarily the easiest) way to fix this is to lock
down who has access to adding machines on your internal lan.

In any case,

Good luck,

Michael Biondi.

From: Paul Beltrani <pbeltrani@ll.mit.edu>

1) Solaris ships with "snoop". You can tell it to look for traffic from
the problem MAC address

2) tcpdump is similar to snoop. It's available from:
http://www.sunfreeware.com

3) RedHat Linux ships with a utility called Arpwatch that may be useful

>From the RedHat docs: "Arpwatch and arpsnmp are both network monitoring
tools. Both utilities monitor Ethernet or FDDI network traffic and build
databases of Ethernet/IP address pairs, and can report certain changes
via email."

Source code is available.

4) Charles Spurgeon's Ethernet Web Site has all sorts of handy links
including pointers to the OUI list. Using this list may lead you to the
manufacturer of the offending ethernet card. This can sometimes help you
narrow down your search. The site is at
http://www.ots.utexas.edu/ethernet

  - Paul Beltrani

From: Michael Sullivan <mike@trdlnk.com>

As a variation on your ping approach, note that you can ping the
broadcast address, which effectively pings everyone on your subnet at
once.

A cleaner approach might be to run snoop with a filter expression of
the rogue MAC address. However, you might not see any traffic from the
culprit if you are on a switched network.

You may be able to narrow down the list of suspects by identifying
the hardware vendor that assigned the MAC address; these web sites
can look up it for you:

http://standards.ieee.org/regauth/oui/index.shtml
http://coffer.com/mac_find/

From: Brett Anthony Holman <bholman@earthsci.unimelb.edu.au>

I think the program you are looking for is arpwatch (which you can
get from <http://www-nrg.ee.lbl.gov/>. This listens on the lan for
MACs and IPs, adds any it finds to its database, then monitors for
any changes. I use it quite a bit to find the MACs of conflicting
IP numbers (ie what you want to do) - if a MAC changes IP (or vice
versa), it will tell you that. The only caveat is, I've never tried
it on Solaris, only Redhat Linux. You also need the bpf and libpcap
packages.

Hope this helps,

From: Tim Pointing <tim@dciem.dnd.ca>

You can passively monitor the network, using snoop, watching for traffic
from the problem MAC address. Or maybe just watch the ARP traffic
for that MAC address.

From: Safuan Mamat <safuan@nc.com.my>
why don't u use arpwatch; at ftp://ftp.ee.lbl.gov/arpwatch.tar.Z

From: Greg Mushen <greg.mushen@gettyimages.com>

If you want to find the malicious user, you're eventually going to have to
associate the port of the switch or hub they are plugged into with the IP
address.

Check the arp cache of the switches (hopefully switches) your users are
plugged into. Hopefully you'll be able to trace this back to their jack.

Next, you might want to add a static arp entry in one of your switches to
prevent this from happening again. It creates a bit of maintenance
overhead--especially if the person who adds the entry leaves the company.
I'd do this only if it were absolutely necessary.

-Greg

From: Darryl C Price <Price.203@osu.edu>

Run snoop with the verbose switch. The MAC address is in the ethernet header source address,
the IP address is in the IP header. I'd start with the destination address and check for
logins on the distination box from this source address. If you're lucky this will yield a
username.

snoop -v

ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 5 arrived at 20:41:56.66
ETHER: Packet size = 1496 bytes
ETHER: Destination = 0:a0:c9:ed:80:60,
ETHER: Source = 8:0:20:1f:91:f5, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 1482 bytes
IP: Identification = 12016
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = c579
IP: Source address = 10.0.0.1, snoopy
IP: Destination address = 10.0.0.2, linus
IP: No options

--Darryl

From: Geoffrey Press <GeoffreyP@Tforce.com.au>

Sugan,
You may wish to use some sort of network sniffer. these work on a lower
lavel of the network enabling you to capture the actual MAC and IP
Addresses.
Alternatively, you could just shoot the user. (No I dont really mean that,
just sometimes I wish it would happen :-)

GP

From: Hendrik Visage <hvisage@is.co.za>

In Mandrake, I've noticed a utility call arpwatch....

Go figure ;^)

From: Moti Levy <mlevy@lannet.com>

Try installing a program called arpwatch .
this will monitor any new ip/mac on your network and create a file .
also it can email you all it sees .
here's an output for a mac address that had an ip change .
          hostname: <unknown>
          ip address: 10.10.10.10
    ethernet address: 0:40:d:94:49:0
     ethernet vendor: LANNET Data Communications
old ethernet address: 0:40:d:8c:4b:0
 old ethernet vendor: LANNET Data Communications
           timestamp: Wednesday, June 14, 2000 18:51:07 +0300
  previous timestamp: Wednesday, June 14, 2000 18:51:07 +0300
               delta: 0 seconds
this comes as a package in linuxes but i know you can compile it on solaris
as well .
also which network hardware are you using.
you can try and trace it's mac address by port and disable it .
then when he/she complains about no link you can kick his/her butt !!!
Moti

From: "Jason K. Schechner" <jas@cais.com>

I know it's not the answer you want, but broadcast ping/arp is probably
the simplest way to do it, once the user reverts to his own IP address.
Once that's done you might want to look into doing something about his
abuse through your switch. When the bozo pulls his IP-switching stunt
just shut off his switch port. You could even automate this with expect
or something like it.

Hope this helps.

--------AND one more from James Ford:

From: James Ford <jford@tusc.net>

>/ Put a read-only community variable on your router, use "snmpdump" with the
>/ correct variable string to dump the arp table and record as necessary.

For the cisco:

config t
snmp-server community goaway RO
end
wri m

"goaway" is the password for your RO community variable. Grab the
ucd-snmp programs from your favorite FTP site, compile/install, and then:

snmpwalk ip_address_here goaway | tee -ia filename.out

The first part dumps the snmp variables to screen. "tee" will also write
out the screen to "filename.out".

You will have to muck with it some to make it happy. You could
compile/install PHP on your webserver (I assume apache) and create a page
such that when the problem appears, you can go to the webpage and
immediately see who's got what IP address and MAC address.

Don't forget to summarize to the list.

-- James

S
U BEFORE POSTING please READ the FAQ located at
N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
. and the list POLICY statement located at
M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A To submit questions/summaries to this list send your email message to:
N sun-managers@ececs.uc.edu
A To unsubscribe from this list please send an email message to:
G majordomo@sunmanagers.ececs.uc.edu
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:
I http://www.latech.edu/sunman.html
S
T



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:12 CDT