I have a rogue computer on our network somewhere that is attempting to send out spoofed packets using an IP that is not even part of our domain. I see it trying to get out at the firewall because the packets are being rejected. We use a 10 network and the packets are from a 192 IP. I'm looking for a way that wireshark might be able to help me identify which switch the computer doing these dastardly deeds might be located so I can narrow down where to look. Does anyone have any suggestions? Thanks!
asked 21 Sep '10, 10:56
That totally depends on the network infrastructure. If it's a pure switched network with no routers (other that the firewall), you can use wireshark to capture the packets just before the firewall. Look at the source mac-address of the packets and use the mac-address forwarding tables of your switches to work out on which port this system is attached.
When other routers are involved, the steps are basically the same, but you will have to work through the steps for each routing hop (as the mac-address that you see on the firewall is the mac-address of the first router on the way to the rogue system).
answered 21 Sep '10, 11:16