ARP Question

Printable View

14th February 2011, 04:25 PM
basicchannel

ARP Question

Hi All,
This may be a completely stupid question, or it should perhaps go under 'Learning Network Manager' (i'll be happy to accept either or both).
We have a rogue IP address on the network and i've been using the ARP command on our gateway server to try and find the perpetrator. The problem is this person hasn't been online all day it seems, and I just have to make educated guesses at the best time to do a search (break times etc). Is there any way you can loop ARP requests so I can just leave it running all day and take action when it finds it?

Thanks for any suggestions
14th February 2011, 05:05 PM
mac_shinobi

What are you trying to achieve from doing this exactly ?

ie

1. You want to see when said user is connected so you can have some proof that they are using the school network when they are not allowed

2. You are trying to stop them from doing this ie using either or both the dns / dhcp console to establish that they are using the network as they have been assigned a dhcp address ( possibly using the dhcp reservation section to ensure that said persons network cards are getting assigned bogus ip address info ie wrong gateway ip addresses or other wrong ip address info ) so that when they try and connect using a web browser it just gives them an error page

3. If you wanted to continue using the ARP command you could possibly make a batch script ( or script of some description ) that runs on the said server using the scheduler to run said script every so many seconds ie every 10 seconds or so and only to prompt you when it is succesfull along with any info you wanted ??
14th February 2011, 09:04 PM
m25man

What gateway router are you using?
I have seen persistent IP address issues arise when a NAT capable router is used in a No NAT config.
The routers unused internal ip tables can get learnt by the LAN Devices.
This is a limitation of some ISP routers.

Failing that, if the bogus client is appearing in your dhcp table use a reservation to dead end the device by setting the gateway and dns back to itself This normally does the trick.

^^ As Mac said....
15th February 2011, 08:27 AM
powdarrmonkey

Or tcpdump, the hardcore packet sniffer.