+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Wireless Networks Thread, Outside computer on our network in Technical; In our DHCP I am repeatedly seeing an unknown computer picking up an ip address from the dhcp. I think ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448

    Outside computer on our network

    In our DHCP I am repeatedly seeing an unknown computer picking up an ip address from the dhcp. I think either one of the staff or students are plugging into an ethernet point. How can track this machine down please?

    We have 3com superstack switches, Windows Server 2003 R2 DHCP server.

    Thanks

  2. #2
    Diello's Avatar
    Join Date
    Jun 2005
    Location
    Kent, England
    Posts
    1,064
    Thank Post
    112
    Thanked 228 Times in 128 Posts
    Rep Power
    74
    See if you can block MAC addresses on your switches - always upsets them

  3. Thanks to Diello from:

    FN-GM (15th February 2008)

  4. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    How would I go about it? Ii am not sure what switch they are using.

  5. #4
    Diello's Avatar
    Join Date
    Jun 2005
    Location
    Kent, England
    Posts
    1,064
    Thank Post
    112
    Thanked 228 Times in 128 Posts
    Rep Power
    74
    Block it on your backbone switches - stops them getting an IP address, DNS, Internet...

  6. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    Quote Originally Posted by FN-Greatermanchester View Post
    How would I go about it? Ii am not sure what switch they are using.
    What I'd do is set a reservation for their mac address which provides an unusable IP address.

  7. Thanks to localzuk from:

    FN-GM (15th February 2008)

  8. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    good thinking

  9. #7
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34
    If you have 3com network supervisor installed and you can run a scan while the machine is connected, you will be able to see which switch it's connected to and walk over to them. Also, you can take the MAC address from the DHCP list and pop it into this:

    http://coffer.com/mac_find/

    to give you a clue about the manufacturer of the laptop (although sometimes it will be the NIC manufacturer). I have a script which emails me when new DHCP leases are granted, so on the rare occasions when this has happened I've had a fighting chance of catching the perp.

  10. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    Can you send the script please? If you dont mind of course.

    Also is that software free?

    Thanks alot

  11. #9
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Here's an idea:
    Unplug all your spare Ethernet points from the switches, so the only live ports already have PCs/printers on them. That will force the culprit to have to unplug something in order to get a working connection - that may act as sufficient deterrent in itself, but if it doesn't, just start pinging all your PCs when next you see the rogue one on the network (with a batch script of course!); whichever one doesn't respond is the one which has been unplugged, so go to that room and find out who has plugged their own laptop in (then batter them with the laptop until they agree to stop doing it!).

  12. #10

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    883
    Thank Post
    277
    Thanked 139 Times in 112 Posts
    Blog Entries
    27
    Rep Power
    42
    Quote Originally Posted by NickJones View Post
    Here's an idea:
    Unplug all your spare Ethernet points from the switches, so the only live ports already have PCs/printers on them. That will force the culprit to have to unplug something in order to get a working connection - that may act as sufficient deterrent in itself, but if it doesn't, just start pinging all your PCs when next you see the rogue one on the network (with a batch script of course!); whichever one doesn't respond is the one which has been unplugged, so go to that room and find out who has plugged their own laptop in (then batter them with the laptop until they agree to stop doing it!).
    Do your managed switches support Port Locking & Device Security? Essentially you put each port on the switch in 'Learn' mode which when a device connects locks that particular MAC address to that port and then disable (or at least physically disconnect/unpatch) any un-used ports. Any device then that tries to associate with the switch will disable that particular port. You should be able to monitor which ports are disabled so you can see where these 'security breaches' are coming from.

    HTH

    Pete

  13. #11
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34
    Quote Originally Posted by FN-Greatermanchester View Post
    Can you send the script please? If you dont mind of course.

    Also is that software free?

    Thanks alot
    The 3Com Network Supervisor is free, although they do have a pay-for version (never seen that running). The web page for it implies it's not free, but I think you can have it free with any qualifying switch. Linky: 3NS

    The DHCP script is based on one by Chris Pratt, from here:

    http://www.petri.co.il/forums/showthread.php?t=4850

    (mine was the version 2.0 script) It said not to edit it, but I did a fair bit (erk, sorry) so I'm not sure about redistributing it! I used blat.exe to make it send emails. This is the batch file (dhcpcheck.bat) that runs every 10 mins on one of the DHCP servers:

    Code:
    cd /d c:\scripts
    cscript //nologo dhcpchecker-DC1.vbs > %1
    cscript //nologo dhcpchecker-DC2.vbs >> %1
    
    REM This checks if DHCPCheckOutput.txt has anything in it to send:  
    if %~z1 GTR 0 blat %1 -to alertrecipient@yourschool.com -subject "DHCP Alert (New Lease)" -server yoursmtpserver -f alertsender@yourschool.com
    It's run with the command:

    C:\Scripts\dhcpcheck.bat DHCPCheckOutput.txt


    For simplicity at the time I just made two vbs files, dhcpchecker-DC1.vbs and dhcpchecker-DC2.vbs, which poll the logs on different DHCP servers. You will probably want to change all the bits in blue.

    Hope some of that makes sense!

  14. #12

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    If you want to go any futher than detection, you need to look at using an NAC solution. I'm using PacketFence for this purpose.

    http://www.packetfence.org/

    If you search the forums there are a fair few threads on it.

  15. #13

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    Thanks for the comments guys!

    So does PacketFence only allowed re-approved devices on a network?

    Thanks

  16. #14

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    If you want it to. It's very flexible depending on what you want to achieve.

  17. #15

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    I can find a page that lists the features on the product.

    Is it a DHCP Server? Will it allow traffic from other domains on the network? How does it decide what is good and bad traffic?

    Thanks
    Last edited by FN-GM; 19th February 2008 at 09:07 PM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 13
    Last Post: 30th June 2009, 04:23 PM
  2. Replies: 2
    Last Post: 15th February 2008, 04:22 PM
  3. terminating CAT5E network cables in network cabinets
    By broc in forum Network and Classroom Management
    Replies: 7
    Last Post: 10th July 2007, 11:54 AM
  4. Copy 2 files to every computer on the network
    By dezt in forum How do you do....it?
    Replies: 7
    Last Post: 5th July 2006, 11:43 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •