Finding the host which is sending traffic on a particular port?

Unanswered Question
Jan 16th, 2008
User Badges:

An internal user on my network has a virus and is sending data on a particular port. What's the best way to figure out which user it is? I can connect to a switch that I know the data is going through, and I know the port number.


Is syslog capable of this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 01/16/2008 - 09:54
User Badges:
  • Purple, 4500 points or more

If you know the switch and port number then you have a couple of options. You can put a packet analyzer on the switch, SPAN the port and look at the packets. It will show the source IP (which will be the PC's IP). If you want to stay Cisco, find the MAC address learned on the port.


SW06#sh mac-address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----

6 0019.bb4a.21b5 DYNAMIC Fa0/1


Now that we have the MAC address, go to the device that provides the gateway for that VLAN. Type show arp | include [MAC Address from above]. It will show the IP address. That IP address is of the PC.


HTH and please rate.

Actions

This Discussion