cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4302
Views
0
Helpful
9
Replies

Tracking down a unknown IP

oneirishpollack
Level 1
Level 1

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog  server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning 10.0.0.7 [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Discovered open port 123/udp on 10.0.0.7

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on 10.0.0.7

Service scan Timing: About 0.40% done

Discovered open port 161/udp on 10.0.0.7

Discovered open|filtered port 161/udp on 10.0.0.7 is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against 10.0.0.7

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning 10.0.0.7.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for 10.0.0.7

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports

PORT    STATE SERVICE VERSION

123/udp open  ntp     NTP v4

| ntp-info: 

|   receive time stamp: 07/15/10 09:46:36

|   system: cisco

|  leap: 0

|   stratum: 2

|   rootdelay: 25.53

|   rootdispersion: 6.96

|   peer: 511

|   refid: 156.34.21.3

|   reftime: 0xCFE98F9B.EF8BC22B

|   poll: 6

|   clock: 0xCFE98FB1.E0211428

|   phase: -0.462

|   freq: -176.82

|_  error: 0.75

161/udp open  snmp    Cisco SNMP service

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: switch|WAP

Running: Cisco IOS 12.X

OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)

Network Distance: 2 hops

Host script results:

|_ipidseq: Randomized

| qscan: 

| PORT   FAMILY  MEAN (ms)  STDDEV  LOSS (%) 

| 1      0       62.50      0.53    0.0%     

| 3      0       62.80      0.42    0.0%     

|_65389  0       62.30      0.48    0.0%     

TRACEROUTE (using port 113/tcp)

HOP RTT     ADDRESS

1   0.00 ms 192.168.2.3

2   0.00 ms 10.0.0.7

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds

           Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)

It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include 10.0.0.7", I don't get anything. How can I track this down to a port?

9 Replies 9

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

You can do it in two steps:

Step 1: As long as it is in the same IP subnet, ping the IP address. Then,

check the ARP cache

Step 2: Now on the switch, issue "show mac address-table | include "

That will give you the exact port where the IP is connected to.

Hope this helps.

Regards,

NT

Ganesh Hariharan
VIP Alumni
VIP Alumni

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog  server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning 10.0.0.7 [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Discovered open port 123/udp on 10.0.0.7

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on 10.0.0.7

Service scan Timing: About 0.40% done

Discovered open port 161/udp on 10.0.0.7

Discovered open|filtered port 161/udp on 10.0.0.7 is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against 10.0.0.7

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning 10.0.0.7.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for 10.0.0.7

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports

PORT    STATE SERVICE VERSION

123/udp open  ntp     NTP v4

| ntp-info: 

|   receive time stamp: 07/15/10 09:46:36

|   system: cisco

|  leap: 0

|   stratum: 2

|   rootdelay: 25.53

|   rootdispersion: 6.96

|   peer: 511

|   refid: 156.34.21.3

|   reftime: 0xCFE98F9B.EF8BC22B

|   poll: 6

|   clock: 0xCFE98FB1.E0211428

|   phase: -0.462

|   freq: -176.82

|_  error: 0.75

161/udp open  snmp    Cisco SNMP service

Warning: OSScan results may be unreliable bec

Hi,

As Suggested by NT first ping frm local switch and then issue command show mac-address to find the ip address assoiated with the mac and mac learning from the port.

Hope to Help !!

Ganesh.H

Help me out with this.

192.168.2.3 is my internal router. When I ping two devices: 10.4.4.30 and the unknown device 10.0.0.7 I get replies. When I do a 'show arp', I fail to get a MAC for the 10.0.0.7 address, though I do get one for the 10.4.4.30 address.


L1-router2# sh arp | include 10.4.4.30
Internet  10.4.4.30               1   0019.b973.b5c9  ARPA   Vlan4
L1-router2# sh arp | include 10.0.0.7
L1-router2#

MAC address of "0019.b973.b5c9" is a Dell client.

Help me out with this.

192.168.2.3 is my internal router. When I ping two devices: 10.4.4.30 and the unknown device 10.0.0.7 I get replies. When I do a 'show arp', I fail to get a MAC for the 10.0.0.7 address, though I do get one for the 10.4.4.30 address.


L1-router2# sh arp | include 10.4.4.30
Internet  10.4.4.30               1   0019.b973.b5c9  ARPA   Vlan4
L1-router2# sh arp | include 10.0.0.7
L1-router2#

Try ping from the switch where you can thing it is connected and the try show arp or show mac-address.

Hope to Help !!

Ganesh.H

I relocated this to the correct response.

In addition, the 10.4.4.30 address was just to verify that ARP was working on the switch, The 10.0.0.7 address is the IP I am trying to discover.

The output from NMAP indicates that the device is 2 hops away. In this case there would not be an ARP entry in the local router (since ARP is for locally connected devices). I would suggest doing a traceroute to the 10.0.0.7 address. Go to the last device that responded, and do the show arp on that device.

HTH

Rick

HTH

Rick

Re:  Tracking down a unknown IP

Thanks for all the help thus far. Here  is the situation....

The trace route (tracert) from my workstation  (10.9.9.50/24) to 10.0.0.7 shows this...

"Tracing route to 10.0.0.7 over a  maximum of 30 hops

  1     3 ms     4 ms     4 ms  192.168.2.3
  2     1  ms    <1 ms    <1 ms  10.0.0.7

Trace complete."

Trace ip  10.0.0.7 from my internal router (192.168.2.3) maxes out:

"L1-router2#trace  ip 10.0.0.7

Type  escape sequence to abort.
Tracing the route to 10.0.0.7

  1  *  *  *
   2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *   *  *

29  *  *  *
30  *  *  *"

So 10.0.0.7, the "rogue" device I am trying to locate appears to be connected to 192.168.2.3 (VLANs used) based on the results of my trace route. Why doesn't the MAC show up in the mac-address table of 192.168.2.3 or the IP/MAC in the ARP table?

So I verified that the tracert:

Tracing route to 10.0.0.7 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.2.3
  2     1 ms    <1 ms    <1 ms  10.0.0.7

Trace complete.

10.0.0.7 is the device in question, but it's IP is not in the ARP table of the router.


L1-router2#sh arp | include 10.0.0.7
L1-router2#

Any reasons why this might be?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: