From owner-freebsd-questions@FreeBSD.ORG Tue Sep 28 04:51:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F4B716A4CF for ; Tue, 28 Sep 2004 04:51:53 +0000 (GMT) Received: from mail13.syd.optusnet.com.au (mail13.syd.optusnet.com.au [211.29.132.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DB8F43D46 for ; Tue, 28 Sep 2004 04:51:52 +0000 (GMT) (envelope-from russm-freebsd-questions@slofith.org) Received: from [127.0.0.1] (c211-28-91-36.smelb1.vic.optusnet.com.au [211.28.91.36])i8S4pnWX011448; Tue, 28 Sep 2004 14:51:50 +1000 In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <1B8BF170-110A-11D9-B224-000A95DA456C@slofith.org> Content-Transfer-Encoding: 7bit From: russell Date: Tue, 28 Sep 2004 14:51:49 +1000 To: "Ted Mittelstaedt" X-Mailer: Apple Mail (2.619) cc: bsdfsse cc: "freebsd-questions@FreeBSD.ORG" Subject: Re: IP address conflicts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2004 04:51:53 -0000 On 28/09/2004, at 1:25 PM, Ted Mittelstaedt wrote: >> or use a tool like arpwatch that is specifically designed to let you >> know when MAC/IP relationships change on your network. > > You don't even need to do that - any router on the network is going to > log > the MAC address because they will see the arp change, as will the other > servers. yeah, of course they'll see the change. but what will they do about it? update their internal ARP table and that's about it, unless they're smart enough (and correctly configured) to do more. arpwatch is simple to install and will notify you straight away when things happen that might need your attention. >> you log the MAC addresses of all the fixed workstations in the school, >> then when one of them starts doing the wrong thing you know *exactly* >> where to go to nab the culprit. > > How, exactly? Do you think that he has a list of all MAC addresses on > the > network and who is using them? the educational institutions I've worked in tend to be pretty anal about having a database of what computers they own and where they're located - something to do with stopping people from walking off with their assets. if your vendor is good they'll provide the machine MAC address along with the serial number and amount of installed RAM. if not then there's some walking to do. spend half a day and document the fixed machines on the network. > Getting the MAC address is not the problem. Finding it on what is > essentially > a completely flat network is. You need managed switches for this so > you can > see what port the offending MAC address is on. now you're assuming that there's documentation as to what ports come out at what wall points, and that there's not still a lab full of dead-ass old machines sitting on 10Base2. >> If it's not one of the fixed >> workstations then you've got a bit more work to find the kiddie, but >> it's nothing insurmountable. > > Unless of course the kiddies are using made up MAC addresses like > BADBEEF, DEADBEEF, CO1DCOED, and such. I'm assuming here, having worked in uni computer labs and seen this sort of crud being done, that what's happening is someone is changing the network settings on a PC... I don't recall seeing a text field next to the "enter your IP address" box that says "enter your MAC address"...