3

In our office we have many PCs, all of them have static IP addresses.
We had a problem with one server with ip 192.168.1.10 dropping off the network occasionally. I unplugged the network cable from the server and from pinged 192.168.1.10 from another host and there was a response.

I searched all PCs to see if any has such ip but i didn't found a one. I changed the server ip to fix the problem, but I still find this rogue device using 192.168.1.10 on the network -- how can I figure out what it is?
Could it be the ip of virtual machine on someone's PC?

voretaq7
  • 79,345
  • 17
  • 128
  • 213
ahmedsafan86
  • 131
  • 3

4 Answers4

4

A virtual machine's IP would be a possibility.

If you try to find this device you could start determining its MAC address (on Linux by running 'arp' and looking for the bad IP).

Next, if you have managed (layer 2) switches in your network you can ask them to tell you which port has this MAC address associated. Then you can either walk to the port and follow the cable or disable the port and wait until someone angry walks up to you. ;)

Theuni
  • 938
  • 5
  • 14
  • thanks for your reply the main switch is cisco switch i'll try your solution and tell with result – ahmedsafan86 Dec 09 '12 at 00:08
  • To add to that, once you've found the MAC address you can run it through [MAC_Find](http://www.coffer.com/mac_find/) to find the vendor that it belongs to. It may give you an idea of what and where to look. e.g. if it returns Apple, it could be a Macbook. – Hengjie Dec 09 '12 at 02:43
  • Or just find any other IP addresses with the same MAC address or trace the wire from the port that MAC address is mapped to. – David Schwartz Dec 09 '12 at 06:42
  • i used wireshark the mac address is 64:68:0c:99:51:f4. the problem is that i disabled that network inerface of this network 192.168.1.0 the working interface is on another network 192.168.2.0 , i ping 192.168.1.10 it replies!! i used angry ip scan to see what opened ports on that ip range [1-70000] the result is one port opened 1723 – ahmedsafan86 Dec 09 '12 at 12:35
  • Sorry, it's really hard to follow what you're talking about when you sprinkle IP addresses in the middle of your sentence. I don't understand you. :( – Theuni Dec 09 '12 at 13:01
  • our server is at network 192.168.1.0/24 it's supposed not to be connected to internet but internal work network, the internet network is 192.168.2.0/24 when you are connected to any of these networks you can ping 192.168.1.10 this really is hard to understand the manufacturer of it's mac address is the same manufacturer of the internet router, i think that one of our it employees is accessing our cameras remotely – ahmedsafan86 Dec 09 '12 at 20:48
  • yes it's from the router however the router ip is 192.168.2.1 but the unknown device ip is 192.1.10. and when i turned the router of it stopped responding to ping. i think it is related to vpn as it has port 1723 opened and that was mentioned in this article http://kb.netgear.com/app/answers/detail/a_id/966/~/troubleshooting-vpn-passthrough-for-home-routers – ahmedsafan86 Dec 09 '12 at 21:08
4

Install NMap (Linux or Windows) and run:

nmap -vv -o 192.168.0.10

(-vv = Very Verbose, -o = Detect Operating System)

This should give you a good idea of what kind of device it is, it's MAC Address, open ports, etc.

Mark Unwin
  • 255
  • 1
  • 6
0

Your problem was an IP conflict between the server and the other machine To identify the pc that has the IP open command prompt and type nbtstat -A This will provide you with the netbios name of this machine.

BluesRhythm
  • 198
  • 1
  • 4
  • 13
  • You're assuming that this is a pure Windows Netbios-based network? – Theuni Dec 08 '12 at 23:59
  • all devices has hostname but this ip return nothing i used this command previously from http://serverfault.com/questions/88064/how-to-determine-the-hostname-from-an-ip-address-in-a-windows-network – ahmedsafan86 Dec 09 '12 at 00:06
  • on Cisco switch try to type show mac-address-table and also it can be sh mac address-table, better is to type sh mac? ... and go from there – BluesRhythm Dec 09 '12 at 00:17
0

If you look in the event log on the Server, you should see a logged event for the IP conflict...in that log entry it will tell you the MAC of the offending device.

Once you have the MAC then you can either apply MAC filtering to know it off your network or use DHCP reservations to give it some IP other than what your server uses. Not sure if you were wanting to return the .10 IP to your server or if you don't care that you had to change it.

user72593
  • 423
  • 2
  • 6
  • 14