Can WireShark help me locate a rogue system, down to the physical location/port?
asked 13 May '11, 17:06
edited 29 Feb '12, 19:29
Wireshark can help you detect traffic from Rogue PC's, but it can't tell you which port the PC is connected too. You need to use the ARP tables on your routers and the Forwarding Databases on your switches to track down the port. The steps you need to take are:
answered 14 May '11, 15:09
If your computer is connected to a Cisco switch which is running CDP, (Cisco Discovery Protocol), then the switch and port number you are connected to is identified in your capture file. You can use the Display Filter, CDP, to narrow down your results and see only that traffic, and you will see "Device ID: SwitchName Port ID: PortID under the Info section of the captured packet. Also, you can use wiresharkportable and tshark to identify ports on other computers in your network by installing wiresharkportable on a jumpdrive, then on the remote computer, runn winpcap installer, and then the following command:
save the above from notepad as a .cmd file, like "whoami.cmd". Then run the command from the users computer. There may be a delay while you wait for CDP to broadcast, you can speed this up by opening up the browser and surfing around a little in the background.
There may be a discovery protocol available for nortel switches or others, but I haven't researched those.
Hope this helps, John
answered 19 May '11, 05:49
edited 19 May '11, 06:01
Also, while not wireshark, netscantools pro has a feature known has 'switch port mapper'. It will collect all the arp info from your switches and combining that with a ping sweep will show you all the devices connected to your switches including mac and ip and the associated port number.
answered 05 Jun '11, 12:38