Network Stranger: Who is this IP!?

I run a small Novell/MS network here at work and ran into a small problem. There is one IP address out there that I simply can’t identify who it belongs to. I run LanGuard to get network info via SNMP, all it tells me is that he is on the same network, no other info comes back. My question is: how can I identify this machine? I know it must be a PC or MAC as I see internet requests on my firewall report from that address. I tried setting up another machine with the same address in the hopes that I would get a call for support, no luck. I’m sure there is an easier way to approach this, can anyone point me in the right direction? Many thanks in advance!

Do you have someone at work who brings their laptop from home and connects to your network? If the laptop has a fixed IP address instead of using DHCP this may be what you’re seeing.

We use static addresses at work, and no, its not a mobile user. In fact the firewall says this person has been logged into an AOL page of some kind for the last 48 hours at least, it has served up about 40MB of just advertisements in that period. We’re switching to DHCP (thank God) by the end of December once the rest of the network has been upgraded.

Since you’ve already got the firewall in place, just block traffic to/from that IP and see who complains. If you want to be a little more sophisticated, redirect every HTTP request from that IP to a local server page that says “come see Bongmaster to get your IP enabled”.

Depending on the user, you might get complaints about shutting them down, but you can use this to your credit by pointing out that you are being proactive in insuring the network’s security and authorized use.

Good idea micco, I had considered that already. Problem is I am not too experienced with the particular firewall we run (Cisco IOS access list firewall) so I’m not 100% sure how to do it. I had hoped to find a utility I can download (like a port scanner but more) that would help me identify the computer by name, location, or some other detail.

-nmap would tell you what OS it is… (it’s a good port scanner). I don’t see why it has to be Mac or PC just 'cause it sends http requests. Depending on how much credit you give your users, it could be a router or something. (Though I too I rule out a Linux machine due to AOL usage ;))
-nessus might be able to tell you a bit about what services it’s running.
-arp could of course get you their MAC.

They’re *nix utilities BTW ('cept arp - 'doze has arp) - I don’t know what you’re running there, but they’d probably run on Cygwin. If I were you I’d start yanking cables at lunchtime and narrow down to at least the router they’re using. You could also ping flood them and follow the blinking lights.

If you’re running a Cisco box, the command “show ip arp X.X.X.X” should give you a listing with, among other useful stuff, the MAC-address of the workstation with IP addy X.X.X.X - 12 hex digits in the form “0008.c786.18f8”.

Armed with this useful info, logon to the LAN switch and look at the forwarding table - a Cisco Catalyst switch with CatOS would take the command “show cam dynamic” to show that information, but there are lots of different switches out there.

The forwarding table lists MAC addresses and physical ports. Now you know the port - get thee to the cabling cabinet and trace the cable to the offending station. Then get creative…

Excellent ideas guys, I’ll check this all out this afternoon. Thanks!