This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Rogue PC on the Network

0

Can WireShark help me locate a rogue system, down to the physical location/port?

asked 13 May '11, 17:06

HFlores's gravatar image

HFlores
1111
accept rate: 0%

edited 29 Feb '12, 19:29

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

3 Answers:

1

Wireshark can help you detect traffic from Rogue PC's, but it can't tell you which port the PC is connected too. You need to use the ARP tables on your routers and the Forwarding Databases on your switches to track down the port. The steps you need to take are:

  1. Detect traffic from the Rogue PC with Wireshark. This is the most difficult step, as it might nog be very visible. Once you have the IP address of the Rogue PC, you can continue

  2. Log in to the router that is connected to the subnet of which the found IP is part of. Get the ARP entry for that IP and copy the MAC address

  3. From the router downwards log into the switches and lookup the MAC address in the forwarding database.

  4. If the MAC is found on a switchlink, follow the link to the next switch until you find the access-port on which the MAC is listed. That's where you will find your ROgue PC

Good luck!

answered 14 May '11, 15:09

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Very nice and THANK you I'll try this out. Herbert

(17 May '11, 16:46) HFlores

0

If your computer is connected to a Cisco switch which is running CDP, (Cisco Discovery Protocol), then the switch and port number you are connected to is identified in your capture file. You can use the Display Filter, CDP, to narrow down your results and see only that traffic, and you will see "Device ID: SwitchName Port ID: PortID under the Info section of the captured packet. Also, you can use wiresharkportable and tshark to identify ports on other computers in your network by installing wiresharkportable on a jumpdrive, then on the remote computer, runn winpcap installer, and then the following command:

@echo off 
winpcap_4_1_2.exe
tshark -i interface# -R cdp       [where interface# is the number of the interface your are capturing]

save the above from notepad as a .cmd file, like "whoami.cmd". Then run the command from the users computer. There may be a delay while you wait for CDP to broadcast, you can speed this up by opening up the browser and surfing around a little in the background.

There may be a discovery protocol available for nortel switches or others, but I haven't researched those.

Hope this helps, John

answered 19 May '11, 05:49

John_Modlin's gravatar image

John_Modlin
1205
accept rate: 0%

edited 19 May '11, 06:01

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

This is useful indeed when you want to know on which switchport a "known" system is connected, but I believe the OP was trying to locate an unknown system on his/her network.

(BTW I edited your answer and deleted the second one that was only a correction to the answer, you can always edit your answers after posting them)

(19 May '11, 06:04) SYN-bit ♦♦

Thank you. Also, I thought your solution was effective.

John

(19 May '11, 08:28) John_Modlin

Thank you John, I do appreciate the info. We do have CISCO switches and I know the IP address from DHCP and the listed NetBIOS name. I'll have to see if CDP is loaded/activated. thanks again, herbert

(19 May '11, 08:56) HFlores

0

Also, while not wireshark, netscantools pro has a feature known has 'switch port mapper'. It will collect all the arp info from your switches and combining that with a ping sweep will show you all the devices connected to your switches including mac and ip and the associated port number.
Very cool :)

John

answered 05 Jun '11, 12:38

John_Modlin's gravatar image

John_Modlin
1205
accept rate: 0%