View Full Version : Rogue device on work network

25-03-2010, 08:53 PM
Hi guys

I rebooted a server today, and when it came up I got an 'IP Address duplicate' error on it and it wouldn't connect to the network (had IP X.X.X.70). I changed the IP to .71 enable network access to/from it. The IP .70 is outside the DHCP scope.

I can ping .70, but can't telnet, ssh, or anything else to it, including through Windows' file sharing (\\hostname). I have its IP (obviously) and MAC address, from my ARP cache. That's all unfortunately :(

It's not in DHCP, which leads me to think someone deliberately set this IP, and it's not in DNS either.

Three things:
- How can I find out more info about it?
- Can I find out what kind of device it is, and thus access it?
- Is there a way to find its hostname (if it's a Windows PC - so I can see if it's a legit device)?

Help? :)

25-03-2010, 09:09 PM
You could block the MAC address and then see who complains.

25-03-2010, 09:30 PM
Re the last point-- you can try IPScanner (http://www.eusing.com/ipscan/free_ip_scanner.htm), you set it to the ip range you are using, and it should give you the IP Address / host name / Mac Address -- Example Part Of my LAN (http://www.imagef1.net.nz/files/IPScanner1269505906.jpg)

25-03-2010, 09:37 PM
What sort of switch do you have? I think some of the fancier ones will tell you which physical port has which IP address and/or MAC address active on it.

25-03-2010, 09:52 PM
Or try using Wireshark (http://www.wireshark.org/) to try and see what this IP number is doing on the LAN.

25-03-2010, 10:07 PM
Have you tried putting the IP into a browser and see if it has a web config or similar?
Perhaps someone has connected a wireless access point or printer?