IP address conflicts

russell russm-freebsd-questions at slofith.org
Mon Sep 27 21:51:53 PDT 2004


On 28/09/2004, at 1:25 PM, Ted Mittelstaedt wrote:

>> or use a tool like arpwatch that is specifically designed to let you
>> know when MAC/IP relationships change on your network.
>
> You don't even need to do that - any router on the network is going to 
> log
> the MAC address because they will see the arp change, as will the other
> servers.

yeah, of course they'll see the change. but what will they do about it? 
update their internal ARP table and that's about it, unless they're 
smart enough (and correctly configured) to do more. arpwatch is simple 
to install and will notify you straight away when things happen that 
might need your attention.

>> you log the MAC addresses of all the fixed workstations in the school,
>> then when one of them starts doing the wrong thing you know *exactly*
>> where to go to nab the culprit.
>
> How, exactly?  Do you think that he has a list of all MAC addresses on 
> the
> network and who is using them?

the educational institutions I've worked in tend to be pretty anal 
about having a database of what computers they own and where they're 
located - something to do with stopping people from walking off with 
their assets. if your vendor is good they'll provide the machine MAC 
address along with the serial number and amount of installed RAM. if 
not then there's some walking to do. spend half a day and document the 
fixed machines on the network.

> Getting the MAC address is not the problem.  Finding it on what is
> essentially
> a completely flat network is.  You need managed switches for this so 
> you can
> see what port the offending MAC address is on.

now you're assuming that there's documentation as to what ports come 
out at what wall points, and that there's not still a lab full of 
dead-ass old machines sitting on 10Base2.

>> If it's not one of the fixed
>> workstations then you've got a bit more work to find the kiddie, but
>> it's nothing insurmountable.
>
> Unless of course the kiddies are using made up MAC addresses like
> BADBEEF, DEADBEEF, CO1DCOED, and such.

I'm assuming here, having worked in uni computer labs and seen this 
sort of crud being done, that what's happening is someone is changing 
the network settings on a PC... I don't recall seeing a text field next 
to the "enter your IP address" box that says "enter your MAC 
address"...



More information about the freebsd-questions mailing list