07-16-2010 10:09 AM - edited 03-06-2019 12:03 PM
Can some one help me figure out how to track down this rogue device on the
network. I noticed it in my Kiwi Syslog server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time
NSE: Loaded 117 scripts for scanning.
Initiating Ping Scan at 09:02
Scanning 10.0.0.7 [7 ports]
Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:02
Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed
Initiating SYN Stealth Scan at 09:02
Scanning 10.0.0.7 [1000 ports]
Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)
Initiating UDP Scan at 09:02
Scanning 10.0.0.7 [1000 ports]
Discovered open port 123/udp on 10.0.0.7
Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)
Initiating Service scan at 09:02
Scanning 1000 services on 10.0.0.7
Service scan Timing: About 0.40% done
Discovered open port 161/udp on 10.0.0.7
Discovered open|filtered port 161/udp on 10.0.0.7 is actually open
Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)
Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)
Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)
Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)
Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.7
Initiating Traceroute at 09:46
Completed Traceroute at 09:46, 0.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:46
Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed
NSE: Script scanning 10.0.0.7.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:46
NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)
NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)
NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)
Completed NSE at 10:21, 2078.55s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 5.02s elapsed
NSE: Script Scanning completed.
Nmap scan report for 10.0.0.7
Host is up (0.00s latency).
Not shown: 1000 closed ports, 998 open|filtered ports
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4
| ntp-info:
| receive time stamp: 07/15/10 09:46:36
| system: cisco
| leap: 0
| stratum: 2
| rootdelay: 25.53
| rootdispersion: 6.96
| peer: 511
| refid: 156.34.21.3
| reftime: 0xCFE98F9B.EF8BC22B
| poll: 6
| clock: 0xCFE98FB1.E0211428
| phase: -0.462
| freq: -176.82
|_ error: 0.75
161/udp open snmp Cisco SNMP service
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch|WAP
Running: Cisco IOS 12.X
OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)
Network Distance: 2 hops
Host script results:
|_ipidseq: Randomized
| qscan:
| PORT FAMILY MEAN (ms) STDDEV LOSS (%)
| 1 0 62.50 0.53 0.0%
| 3 0 62.80 0.42 0.0%
|_65389 0 62.30 0.48 0.0%
TRACEROUTE (using port 113/tcp)
HOP RTT ADDRESS
1 0.00 ms 192.168.2.3
2 0.00 ms 10.0.0.7
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds
Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)
It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include 10.0.0.7", I don't get anything. How can I track this down to a port?
07-16-2010 11:18 AM
Hello,
You can do it in two steps:
Step 1: As long as it is in the same IP subnet, ping the IP address. Then,
check the ARP cache
Step 2: Now on the switch, issue "show mac address-table | include "
That will give you the exact port where the IP is connected to.
Hope this helps.
Regards,
NT
07-16-2010 11:40 AM
Can some one help me figure out how to track down this rogue device on the
network. I noticed it in my Kiwi Syslog server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time
NSE: Loaded 117 scripts for scanning.
Initiating Ping Scan at 09:02
Scanning 10.0.0.7 [7 ports]
Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:02
Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed
Initiating SYN Stealth Scan at 09:02
Scanning 10.0.0.7 [1000 ports]
Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)
Initiating UDP Scan at 09:02
Scanning 10.0.0.7 [1000 ports]
Discovered open port 123/udp on 10.0.0.7
Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)
Initiating Service scan at 09:02
Scanning 1000 services on 10.0.0.7
Service scan Timing: About 0.40% done
Discovered open port 161/udp on 10.0.0.7
Discovered open|filtered port 161/udp on 10.0.0.7 is actually open
Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)
Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)
Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)
Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)
Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.7
Initiating Traceroute at 09:46
Completed Traceroute at 09:46, 0.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:46
Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed
NSE: Script scanning 10.0.0.7.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:46
NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)
NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)
NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)
Completed NSE at 10:21, 2078.55s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 5.02s elapsed
NSE: Script Scanning completed.
Nmap scan report for 10.0.0.7
Host is up (0.00s latency).
Not shown: 1000 closed ports, 998 open|filtered ports
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4
| ntp-info:
| receive time stamp: 07/15/10 09:46:36
| system: cisco
| leap: 0
| stratum: 2
| rootdelay: 25.53
| rootdispersion: 6.96
| peer: 511
| refid: 156.34.21.3
| reftime: 0xCFE98F9B.EF8BC22B
| poll: 6
| clock: 0xCFE98FB1.E0211428
| phase: -0.462
| freq: -176.82
|_ error: 0.75
161/udp open snmp Cisco SNMP service
Warning: OSScan results may be unreliable bec
Hi,
As Suggested by NT first ping frm local switch and then issue command show mac-address to find the ip address assoiated with the mac and mac learning from the port.
Hope to Help !!
Ganesh.H
07-16-2010 09:55 PM
Help me out with this.
192.168.2.3 is my internal router. When I ping two devices: 10.4.4.30 and the unknown device 10.0.0.7 I get replies. When I do a 'show arp', I fail to get a MAC for the 10.0.0.7 address, though I do get one for the 10.4.4.30 address.
L1-router2# sh arp | include 10.4.4.30
Internet 10.4.4.30 1 0019.b973.b5c9 ARPA Vlan4
L1-router2# sh arp | include 10.0.0.7
L1-router2#
07-16-2010 11:49 PM
MAC address of "0019.b973.b5c9" is a Dell client.
07-17-2010 01:45 AM
Help me out with this.
192.168.2.3 is my internal router. When I ping two devices: 10.4.4.30 and the unknown device 10.0.0.7 I get replies. When I do a 'show arp', I fail to get a MAC for the 10.0.0.7 address, though I do get one for the 10.4.4.30 address.
L1-router2# sh arp | include 10.4.4.30
Internet 10.4.4.30 1 0019.b973.b5c9 ARPA Vlan4
L1-router2# sh arp | include 10.0.0.7
L1-router2#
Try ping from the switch where you can thing it is connected and the try show arp or show mac-address.
Hope to Help !!
Ganesh.H
07-17-2010 06:10 PM
I relocated this to the correct response.
In addition, the 10.4.4.30 address was just to verify that ARP was working on the switch, The 10.0.0.7 address is the IP I am trying to discover.
07-17-2010 05:29 AM
The output from NMAP indicates that the device is 2 hops away. In this case there would not be an ARP entry in the local router (since ARP is for locally connected devices). I would suggest doing a traceroute to the 10.0.0.7 address. Go to the last device that responded, and do the show arp on that device.
HTH
Rick
07-17-2010 07:27 PM
Re: Tracking down a unknown IP
Thanks for all the help thus far. Here is the situation....
The trace route (tracert) from my workstation (10.9.9.50/24) to 10.0.0.7 shows this...
"Tracing route to 10.0.0.7 over a maximum of 30 hops
1 3 ms 4 ms 4 ms 192.168.2.3
2 1 ms <1 ms <1 ms 10.0.0.7
Trace complete."
Trace ip 10.0.0.7 from my internal router (192.168.2.3) maxes out:
"L1-router2#trace ip 10.0.0.7
Type escape sequence to abort.
Tracing the route to 10.0.0.7
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
29 * * *
30 * * *"
So 10.0.0.7, the "rogue" device I am trying to locate appears to be connected to 192.168.2.3 (VLANs used) based on the results of my trace route. Why doesn't the MAC show up in the mac-address table of 192.168.2.3 or the IP/MAC in the ARP table?
07-20-2010 08:33 AM
So I verified that the tracert:
Tracing route to 10.0.0.7 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.3
2 1 ms <1 ms <1 ms 10.0.0.7
Trace complete.
10.0.0.7 is the device in question, but it's IP is not in the ARP table of the router.
L1-router2#sh arp | include 10.0.0.7
L1-router2#
Any reasons why this might be?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide