From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alfred Vahau Date: Mon, 31 Jan 2005 18:14:34 +0000 Subject: Re: [LARTC] Personal Firewalls Message-Id: <41FE758A.4050805@upng.ac.pg> List-Id: References: <41E1F504.2010201@upng.ac.pg> In-Reply-To: <41E1F504.2010201@upng.ac.pg> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org >However, there is a possibility if you want to find the computer by IP, if you use manageable switches. As you know which >IPs are improper, you can also find the corresponding MAC address passively from the router's ARP table (or actively by >arping), and the switches will be able to tell you on which port this MAC is plugged. Then you can e.g. shutdown the port or >follow the cable to the physical computer location. Just reporting back on how this went. The above worked beautifully and the suspect PC has been identified. Two puzzling aspect which I hope the list will throw some light on is: 1. The ipconfig /all command on Windows returns the description of the NIC with company A but the MAC address contains the code for company B according to OUI scheme. http://standards.ieee.org/regauth/oui/oui.txt Is this an industry practice? Both IP and MAC addresses match that of the investigated computer. 2. Our proxy access logs show that sites C and D were heavily accessed. The browser history shows site shows D being accessed but not a trace of access to C. I am suspecting an ftp server being used. Thanks in advance for the help. alfred, -- Perl - "... making the easy jobs easy, without making the hard jobs impossible." 'The Camel', 3ed _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/