I have a rogue computer on our network somewhere that is attempting to send out spoofed packets using an IP that is not even part of our domain. I see it trying to get out at the firewall because the packets are being rejected. We use a 10 network and the packets are from a 192 IP. I'm looking for a way that wireshark might be able to help me identify which switch the computer doing these dastardly deeds might be located so I can narrow down where to look. Does anyone have any suggestions? Thanks! asked 21 Sep '10, 10:56  kbirecki |
One Answer:
That totally depends on the network infrastructure. If it's a pure switched network with no routers (other that the firewall), you can use wireshark to capture the packets just before the firewall. Look at the source mac-address of the packets and use the mac-address forwarding tables of your switches to work out on which port this system is attached. When other routers are involved, the steps are basically the same, but you will have to work through the steps for each routing hop (as the mac-address that you see on the firewall is the mac-address of the first router on the way to the rogue system). answered 21 Sep '10, 11:16  SYN-bit ♦♦ |
Thanks for the suggestions. I'm pretty confident it is in one particular office because I only see the denied traffic on one firewall, so I'll see if I can find the MAC address from the firewall or a capture from wireshark. This was very helpful, and a quick response! Thanks!
I agree with SYNbit and would add that a lot of firewalls today allow you to do captures directly on them. You might try that first as it will be less disruptive to production traffic.