mikeyd101 - not done this before , any chance of some brief step by step instructions on how you would do this on or in wireshark ?
its been a while since i done any packet filtering stuff, get wireshark installed and running and think its fairly self explanatory installer. Start it up and hit capture and go (think this will capture everything, and good test to make sure your actually capturing something). Then there is a filter box which i believe you can use and option like:
to filter only traffic in/out bound to that address. Again its worth checking this first using a known IP that you can generate traffic on (i.e. your own laptop, and web browse to somewhere). I'm not sure how IP broadcast / listening works over routers, so you might have todo some more digging. I'll try and find a wireshark quickstart.
shows basics of using wireshark.
Also some network cards work better than others with wireshark, think its todo with if they can work in promiscuous mode.
Good luck hope you find the device.
Last edited by mikeyd101; 18th June 2013 at 06:34 PM.
mac_shinobi (18th June 2013)
You will want to setup port mirroring on the port you want to monitor. Switches only send traffic to the port it is Destin for, unless it is a broadcast. Port mirroring will send a copy of the traffic to the port you specify. This will allow wire shark to capture it.
After using the switch port mapper that I mentioned above I have found the device. Its one of our servers, however that's only half of it although it has it own IP and MAC address it seems to have a phantom IP and MAC address. Has anyone had an issue like this before? I have proved it by doing a ping -t to the ip address and removed the network cable. but the adapter definatley has its proper IP and MAC and a phantom set?????.
On another note I have found a graphing tool to go with Wireshark that is being talked about about, WildPackets Network Forensics Utility "Compass" it can be downloaded here Compass Free - CNET Download.com
Last edited by edie209; 19th June 2013 at 02:11 PM.
is there a VM running on the machine, that could have its own ip and mac?
Is it not ILO ?
I know some of our IBM's have "Phantom IP's" this is for connecting to them remotely via console, it's sop you can interact with BIOS and see it reboot etc.
Its not the connection to a UPS is it?
There are currently 1 users browsing this thread. (0 members and 1 guests)