Announcement

Collapse
No announcement yet.

Rouge Device

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rouge Device

    I have detected a rouge device on our network. It has picked up and IP from the DC DHCP 192.168.10.101. I have no wireless access points, I have stopped DHCP and deleted the IP address.

    Scanning the Network I can see that the device is 65ms away, it has no Host or Net Bios Name or Netbios Username visible, SNMP is not switched on.

    It's 26ms away. Other local devices are <1ms so it would seem to indicated it is external, but when I drop the power to the firewall it remained up. So it has to be Phiscialy connected.

    Is there any way I can find a device on a network with only an ip address? other than turning the switches off to isolate a group and then pull the patch leads out of the switch to patch panel one at a time, to isolate the floor socket!
    Regards
    Colin

    C.R.E JEWISON

  • #2
    Re: Rouge Device

    What kind of switches do you have?
    If you can ping the rouge host then you can get the mac address. Depending on your switches, you can look at the arp tables and see what port that mac address is connected to. You then might be able to trace it to physical location. (do you use hubs?)
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Rouge Device

      Once you do get the mac address, lookup the device, you might then recall what it is....
      "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

      Comment


      • #4
        Re: Rouge Device

        Thanks for the help, everyone. Found it


        Lior_S Suggestion about looking up the device manufacturer worked a treat once I had got the Mac Address. (DELL), and using the Switches, I waited until the evening and powered the switches off until the ping dropped, to isolate the switch. Then one at a time pulled the cables out until it dropped again, (2nd cable in) which was handy? This turned out to be patched to a hub.

        I then narrowed it down off the hub to a new server that although switched off, was picking up an IP for some new feature that allows you to remote control the machines while they are at the Dos prompt.

        Which means that a Dell Server is not off until the power cord is removed.
        Now I have always been aware the Dell servers, still show some signs of life when turned off, but I hadn't realised they would connect to a dhcp and pull an IP.

        Thanks to both JeremyW and Lior_S for their Suggestions
        Regards
        Colin

        C.R.E JEWISON

        Comment


        • #5
          Re: Rouge Device

          This would have been a DRAC (Dell Remote Access Card) device; they are used to remotely manage a server whether or not it is powered up. (Obviously it needs to have power connected). You can switch the server on, do BIOS configuration, switch it off... it's like being sat at a console. Very handy device to have, for a server support team. IBM do a similar thing too. I wouldn't be surprised if HP/Compaq have a similar function.


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: Rouge Device

            Originally posted by Stonelaughter View Post
            This would have been a DRAC (Dell Remote Access Card) device; they are used to remotely manage a server whether or not it is powered up. (Obviously it needs to have power connected). You can switch the server on, do BIOS configuration, switch it off... it's like being sat at a console. Very handy device to have, for a server support team. IBM do a similar thing too. I wouldn't be surprised if HP/Compaq have a similar function.
            Indeed HP has the ILo (three different versions too!) and Sun has the ILOM, all modern day server class machines have that.
            "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

            Comment

            Working...
            X