----- Original Message -----
Sent: Thursday, July 24, 2003 8:33
PM
Subject: Re: [smartBridges] OFF TOPIC:
Spoofed IP??
What we do is put a hub inbetween the AP and the router/switch.
Then plug a network line into the hub to one of our computers and open the
sniffer. We use the Colasoft sniffer and it works great. It will
sort by IP address and it is layed out really nice. Just wait for that
IP to send some info that will identify then and there you
go.
--
Jeff
> One thing you could do if you provide email,
is to check the IP addy
> against
> email address's in your logs
of your mail server.
> George
> ----- Original Message
-----
> From: "The Wirefree Network" <[EMAIL PROTECTED]>
> To:
<[EMAIL PROTECTED]>
> Sent: Thursday, July 24, 2003 12:29
PM
> Subject: [smartBridges] OFF TOPIC: Spoofed IP??
>
>
>> Here's a weird one.
>>
>> Using smartbridges
equipment, is there any way I can find out which one
>> of my users
changed their IP address??
>>
>> When I do an arp listing in
my router, I noticed that the IP/MAC pairing
>> was incorrect. So...I
called up the client who should have that IP and
>> their computer
was off. When they turned it on and went to IE, my
>> router prompted
me with "IP address 172.16.x.x changed MAC addresses".
>> And then
the arp listing showed the correct MAC for that IP.
>>
>> He
then turned off his computer and a little while later...I was
again
>> prompted with the "IP address 172.16.x.x changed MAC
addresses". I
>> wrote down the MAC address, but that really does me
no good.
>>
>> I was hoping that a traceroute would show me
which wireless devices he
>> was hopping out of...but no
dice.
>>
>> I looked in the associated client listing in the
aPPo, but it does not
>> show that IP whenever I am
looking.
>>
>> I tried using sniffer software...but I cant
pick up any traffic on the
>> LAN side of my router, being that it is
also a switch. I need to find a
>> way to make my port (permiscious)
or act like a hub...so I can sniff
>> traffic on the whole
network.
>>
>> I also thought about having the valid client
use a different IP for
>> now...and then block that IP at the LAN
interface. Then...just sit back
>> and wait for that client to call
me (with an outage).
>>
>> Anyway...my question is....how
can I find out who is using this IP??
>>
>>
Sully
>>
>> The PART-15.ORG smartBridges Discussion
List
>> To Join: mailto:[EMAIL PROTECTED] (in the body type
subscribe
> smartBridges
>> To Remove:
mailto:[EMAIL PROTECTED] (in the body type unsubscribe
>
smartBridges)
>> Archives:
http://archives.part-15.org
>>
>
> The PART-15.ORG
smartBridges Discussion List
> To Join: mailto:[EMAIL PROTECTED] (in
the body type subscribe
> smartBridges
> To Remove:
mailto:[EMAIL PROTECTED] (in the body type unsubscribe
>
smartBridges)
> Archives: http://archives.part-15.org
>
The
PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED]
(in the body type subscribe smartBridges To Remove:
mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges)
Archives: http://archives.part-15.org
---
Outgoing mail is certified Virus Free.
Checked by AVG
anti-virus system (
http://www.grisoft.com).
Version: 6.0.502
/ Virus Database: 300 - Release Date: 7/20/2003
