This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can WireShark help me locate a rogue system, down to the physical location/port?

asked 13 May '11, 17:06

HFlores's gravatar image

HFlores
1111
accept rate: 0%

edited 29 Feb '12, 19:29

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


Wireshark can help you detect traffic from Rogue PC's, but it can't tell you which port the PC is connected too. You need to use the ARP tables on your routers and the Forwarding Databases on your switches to track down the port. The steps you need to take are:

  1. Detect traffic from the Rogue PC with Wireshark. This is the most difficult step, as it might nog be very visible. Once you have the IP address of the Rogue PC, you can continue

  2. Log in to the router that is connected to the subnet of which the found IP is part of. Get the ARP entry for that IP and copy the MAC address

  3. From the router downwards log into the switches and lookup the MAC address in the forwarding database.

  4. If the MAC is found on a switchlink, follow the link to the next switch until you find the access-port on which the MAC is listed. That's where you will find your ROgue PC

Good luck!

permanent link

answered 14 May '11, 15:09

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Very nice and THANK you I'll try this out. Herbert

(17 May '11, 16:46) HFlores

If your computer is connected to a Cisco switch which is running CDP, (Cisco Discovery Protocol), then the switch and port number you are connected to is identified in your capture file. You can use the Display Filter, CDP, to narrow down your results and see only that traffic, and you will see "Device ID: SwitchName Port ID: PortID under the Info section of the captured packet. Also, you can use wiresharkportable and tshark to identify ports on other computers in your network by installing wiresharkportable on a jumpdrive, then on the remote computer, runn winpcap installer, and then the following command:

@echo off 
winpcap_4_1_2.exe
tshark -i interface# -R cdp       [where interface# is the number of the interface your are capturing]

save the above from notepad as a .cmd file, like "whoami.cmd". Then run the command from the users computer. There may be a delay while you wait for CDP to broadcast, you can speed this up by opening up the browser and surfing around a little in the background.

There may be a discovery protocol available for nortel switches or others, but I haven't researched those.

Hope this helps, John

permanent link

answered 19 May '11, 05:49

John_Modlin's gravatar image

John_Modlin
1205
accept rate: 0%

edited 19 May '11, 06:01

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

This is useful indeed when you want to know on which switchport a "known" system is connected, but I believe the OP was trying to locate an unknown system on his/her network.

(BTW I edited your answer and deleted the second one that was only a correction to the answer, you can always edit your answers after posting them)

(19 May '11, 06:04) SYN-bit ♦♦

Thank you. Also, I thought your solution was effective.

John

(19 May '11, 08:28) John_Modlin

Thank you John, I do appreciate the info. We do have CISCO switches and I know the IP address from DHCP and the listed NetBIOS name. I'll have to see if CDP is loaded/activated. thanks again, herbert

(19 May '11, 08:56) HFlores

Also, while not wireshark, netscantools pro has a feature known has 'switch port mapper'. It will collect all the arp info from your switches and combining that with a ping sweep will show you all the devices connected to your switches including mac and ip and the associated port number.
Very cool :)

John

permanent link

answered 05 Jun '11, 12:38

John_Modlin's gravatar image

John_Modlin
1205
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×8
×7
×5
×5

question asked: 13 May '11, 17:06

question was seen: 8,263 times

last updated: 29 Feb '12, 19:29

p​o​w​e​r​e​d by O​S​Q​A