Date: Tue, 28 Sep 2004 14:51:49 +1000 From: russell <russm-freebsd-questions@slofith.org> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@freebsd.org> Subject: Re: IP address conflicts Message-ID: <1B8BF170-110A-11D9-B224-000A95DA456C@slofith.org> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNGEGCEPAA.tedm@toybox.placo.com> References: <LOBBIFDAGNMAMLGJJCKNGEGCEPAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28/09/2004, at 1:25 PM, Ted Mittelstaedt wrote: >> or use a tool like arpwatch that is specifically designed to let you >> know when MAC/IP relationships change on your network. > > You don't even need to do that - any router on the network is going to > log > the MAC address because they will see the arp change, as will the other > servers. yeah, of course they'll see the change. but what will they do about it? update their internal ARP table and that's about it, unless they're smart enough (and correctly configured) to do more. arpwatch is simple to install and will notify you straight away when things happen that might need your attention. >> you log the MAC addresses of all the fixed workstations in the school, >> then when one of them starts doing the wrong thing you know *exactly* >> where to go to nab the culprit. > > How, exactly? Do you think that he has a list of all MAC addresses on > the > network and who is using them? the educational institutions I've worked in tend to be pretty anal about having a database of what computers they own and where they're located - something to do with stopping people from walking off with their assets. if your vendor is good they'll provide the machine MAC address along with the serial number and amount of installed RAM. if not then there's some walking to do. spend half a day and document the fixed machines on the network. > Getting the MAC address is not the problem. Finding it on what is > essentially > a completely flat network is. You need managed switches for this so > you can > see what port the offending MAC address is on. now you're assuming that there's documentation as to what ports come out at what wall points, and that there's not still a lab full of dead-ass old machines sitting on 10Base2. >> If it's not one of the fixed >> workstations then you've got a bit more work to find the kiddie, but >> it's nothing insurmountable. > > Unless of course the kiddies are using made up MAC addresses like > BADBEEF, DEADBEEF, CO1DCOED, and such. I'm assuming here, having worked in uni computer labs and seen this sort of crud being done, that what's happening is someone is changing the network settings on a PC... I don't recall seeing a text field next to the "enter your IP address" box that says "enter your MAC address"...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1B8BF170-110A-11D9-B224-000A95DA456C>