IP address conflicts
russell
russm-freebsd-questions at slofith.org
Mon Sep 27 21:51:53 PDT 2004
On 28/09/2004, at 1:25 PM, Ted Mittelstaedt wrote:
>> or use a tool like arpwatch that is specifically designed to let you
>> know when MAC/IP relationships change on your network.
>
> You don't even need to do that - any router on the network is going to
> log
> the MAC address because they will see the arp change, as will the other
> servers.
yeah, of course they'll see the change. but what will they do about it?
update their internal ARP table and that's about it, unless they're
smart enough (and correctly configured) to do more. arpwatch is simple
to install and will notify you straight away when things happen that
might need your attention.
>> you log the MAC addresses of all the fixed workstations in the school,
>> then when one of them starts doing the wrong thing you know *exactly*
>> where to go to nab the culprit.
>
> How, exactly? Do you think that he has a list of all MAC addresses on
> the
> network and who is using them?
the educational institutions I've worked in tend to be pretty anal
about having a database of what computers they own and where they're
located - something to do with stopping people from walking off with
their assets. if your vendor is good they'll provide the machine MAC
address along with the serial number and amount of installed RAM. if
not then there's some walking to do. spend half a day and document the
fixed machines on the network.
> Getting the MAC address is not the problem. Finding it on what is
> essentially
> a completely flat network is. You need managed switches for this so
> you can
> see what port the offending MAC address is on.
now you're assuming that there's documentation as to what ports come
out at what wall points, and that there's not still a lab full of
dead-ass old machines sitting on 10Base2.
>> If it's not one of the fixed
>> workstations then you've got a bit more work to find the kiddie, but
>> it's nothing insurmountable.
>
> Unless of course the kiddies are using made up MAC addresses like
> BADBEEF, DEADBEEF, CO1DCOED, and such.
I'm assuming here, having worked in uni computer labs and seen this
sort of crud being done, that what's happening is someone is changing
the network settings on a PC... I don't recall seeing a text field next
to the "enter your IP address" box that says "enter your MAC
address"...
More information about the freebsd-questions
mailing list