Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Tracking down a unknown IP

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog  server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning 10.0.0.7 [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Discovered open port 123/udp on 10.0.0.7

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on 10.0.0.7

Service scan Timing: About 0.40% done

Discovered open port 161/udp on 10.0.0.7

Discovered open|filtered port 161/udp on 10.0.0.7 is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against 10.0.0.7

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning 10.0.0.7.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for 10.0.0.7

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports

PORT    STATE SERVICE VERSION

123/udp open  ntp     NTP v4

| ntp-info: 

|   receive time stamp: 07/15/10 09:46:36

|   system: cisco

|  leap: 0

|   stratum: 2

|   rootdelay: 25.53

|   rootdispersion: 6.96

|   peer: 511

|   refid: 156.34.21.3

|   reftime: 0xCFE98F9B.EF8BC22B

|   poll: 6

|   clock: 0xCFE98FB1.E0211428

|   phase: -0.462

|   freq: -176.82

|_  error: 0.75

161/udp open  snmp    Cisco SNMP service

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: switch|WAP

Running: Cisco IOS 12.X

OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)

Network Distance: 2 hops

Host script results:

|_ipidseq: Randomized

| qscan: 

| PORT   FAMILY  MEAN (ms)  STDDEV  LOSS (%) 

| 1      0       62.50      0.53    0.0%     

| 3      0       62.80      0.42    0.0%     

|_65389  0       62.30      0.48    0.0%     

TRACEROUTE (using port 113/tcp)

HOP RTT     ADDRESS

1   0.00 ms 192.168.2.3

2   0.00 ms 10.0.0.7

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds

           Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)

It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include 10.0.0.7", I don't get anything. How can I track this down to a port?

9 REPLIES
Cisco Employee

Re: Tracking down a unknown IP

Hello,

You can do it in two steps:

Step 1: As long as it is in the same IP subnet, ping the IP address. Then,

check the ARP cache

Step 2: Now on the switch, issue "show mac address-table | include "

That will give you the exact port where the IP is connected to.

Hope this helps.

Regards,

NT

Re: Tracking down a unknown IP

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog  server. It shows a hostname of 10.0.0.7. I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning 10.0.0.7 [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning 10.0.0.7 [1000 ports]

Discovered open port 123/udp on 10.0.0.7

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on 10.0.0.7

Service scan Timing: About 0.40% done

Discovered open port 161/udp on 10.0.0.7

Discovered open|filtered port 161/udp on 10.0.0.7 is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against 10.0.0.7

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning 10.0.0.7.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for 10.0.0.7

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports

PORT    STATE SERVICE VERSION

123/udp open  ntp     NTP v4

| ntp-info: 

|   receive time stamp: 07/15/10 09:46:36

|   system: cisco

|  leap: 0

|   stratum: 2

|   rootdelay: 25.53

|   rootdispersion: 6.96

|   peer: 511

|   refid: 156.34.21.3

|   reftime: 0xCFE98F9B.EF8BC22B

|   poll: 6

|   clock: 0xCFE98FB1.E0211428

|   phase: -0.462

|   freq: -176.82

|_  error: 0.75

161/udp open  snmp    Cisco SNMP service

Warning: OSScan results may be unreliable bec

Hi,

As Suggested by NT first ping frm local switch and then issue command show mac-address to find the ip address assoiated with the mac and mac learning from the port.

Hope to Help !!

Ganesh.H

New Member

Re: Tracking down a unknown IP

Help me out with this.

192.168.2.3 is my internal router. When I ping two devices: 10.4.4.30 and the unknown device 10.0.0.7 I get replies. When I do a 'show arp', I fail to get a MAC for the 10.0.0.7 address, though I do get one for the 10.4.4.30 address.


L1-router2# sh arp | include 10.4.4.30
Internet  10.4.4.30               1   0019.b973.b5c9  ARPA   Vlan4
L1-router2# sh arp | include 10.0.0.7
L1-router2#

Hall of Fame Super Gold

Re: Tracking down a unknown IP

MAC address of "0019.b973.b5c9" is a Dell client.

Re: Tracking down a unknown IP

Help me out with this.

192.168.2.3 is my internal router. When I ping two devices: 10.4.4.30 and the unknown device 10.0.0.7 I get replies. When I do a 'show arp', I fail to get a MAC for the 10.0.0.7 address, though I do get one for the 10.4.4.30 address.


L1-router2# sh arp | include 10.4.4.30
Internet  10.4.4.30               1   0019.b973.b5c9  ARPA   Vlan4
L1-router2# sh arp | include 10.0.0.7
L1-router2#

Try ping from the switch where you can thing it is connected and the try show arp or show mac-address.

Hope to Help !!

Ganesh.H

New Member

Re: Tracking down a unknown IP

I relocated this to the correct response.

In addition, the 10.4.4.30 address was just to verify that ARP was working on the switch, The 10.0.0.7 address is the IP I am trying to discover.

Hall of Fame Super Silver

Re: Tracking down a unknown IP

The output from NMAP indicates that the device is 2 hops away. In this case there would not be an ARP entry in the local router (since ARP is for locally connected devices). I would suggest doing a traceroute to the 10.0.0.7 address. Go to the last device that responded, and do the show arp on that device.

HTH

Rick

New Member

Re: Tracking down a unknown IP

Re:  Tracking down a unknown IP

Thanks for all the help thus far. Here  is the situation....

The trace route (tracert) from my workstation  (10.9.9.50/24) to 10.0.0.7 shows this...

"Tracing route to 10.0.0.7 over a  maximum of 30 hops

  1     3 ms     4 ms     4 ms  192.168.2.3
  2     1  ms    <1 ms    <1 ms  10.0.0.7

Trace complete."

Trace ip  10.0.0.7 from my internal router (192.168.2.3) maxes out:

"L1-router2#trace  ip 10.0.0.7

Type  escape sequence to abort.
Tracing the route to 10.0.0.7

  1  *  *  *
   2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *   *  *

29  *  *  *
30  *  *  *"

So 10.0.0.7, the "rogue" device I am trying to locate appears to be connected to 192.168.2.3 (VLANs used) based on the results of my trace route. Why doesn't the MAC show up in the mac-address table of 192.168.2.3 or the IP/MAC in the ARP table?

New Member

Re: Tracking down a unknown IP

So I verified that the tracert:

Tracing route to 10.0.0.7 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.2.3
  2     1 ms    <1 ms    <1 ms  10.0.0.7

Trace complete.

10.0.0.7 is the device in question, but it's IP is not in the ARP table of the router.


L1-router2#sh arp | include 10.0.0.7
L1-router2#

Any reasons why this might be?

1816
Views
0
Helpful
9
Replies
CreatePlease to create content