Yesterday I posted:
Does anyone know how to determine if duplicate IP addresses are in use on
SPARC 5 wkstns running SUNOS 4.1.3? Is there a tool or command that can be
used to determine what machine(s) is using a given IP address? For instance,
on Intergraph Unix workstations (running CLIX--a proprietary flavour of unix)
you could issue the command:
arp -t ip_address
(where ip_address is the IP address that you wish to determine the users of)
This command would list the Ethernet address of the machines that were using
the given internet address. From there I could track down the owner of the
machine that had "accidentally" used my internet address.
Unfortunately, the -t option does not exist with the arp command in SUNOS (or
most other flavours of Unix). Any suggestions or ideas would be greatly
appreciated.
-------------------------------------------------------------------------------
I received many responses and would like to thank all those who responded.
Your information was very helpfull.
Thanks to:
----------
ramu@duettech.com
bobk@telecode.com
rtrzaska@uk.mdis.com writes:
Robert.Gillespie@waii.com writes:
hessep@gb.swissbank.com writes:
sahirns@menger.eecs.stevens-tech.edu writes:
chris@Advent.COM writes:
john@oncology.uthscsa.edu writes:
Michael.Neef@neuroinformatik.ruhr-uni-bochum.DE writes:
astorms@galaxy.csc.calpoly.edu writes:
Jimi.Xenidis@cimtegration.com writes:
Ian_MacPhedran@engr.USask.CA writes:
and@morgan.com writes:
manderso@mitretek.org writes:
Summary:
----------------------------------------------------------------------------
arp -a will list out ip address and ethernet address.
Before using this you contact all hosts once using the command rup.
----------------------------------------------------------------------------
get a program called 'getethers'
It can be found at www.jumbo.com or ftp.oak.oakland.edu
----------------------------------------------------------------------------
did you try 'arp -a' which
will list out the current table of
ip address to mac addresses,
loop through pinging a host then 'arp -a | grep ahost'
might work.
----------------------------------------------------------------------------
Looking at this recently, I saw a reference to a suite of
progs by Dave Curry at http://harbor.ecn.purdue.edu/~davy/
----------------------------------------------------------------------------
Disconnect your workstation from the net and then:
ping -s YourIPAddress
This should yield the Ethernet address of the machine(s).
----------------------------------------------------------------------------
You could always ping the ip address first and then arp it. Of
course, this would only work if the other machine is on the same
network as you are.
example:
% ping 155.246.89.81
155.246.89.81 is alive
% arp 155.246.89.81
155.246.89.81 (155.246.89.81) at 0:80:7c:4:30:96
----------------------------------------------------------------------------
Just use 'arp ip_address' in SunOS 4.x.
----------------------------------------------------------------------------
The first thing to do is ping the ip address. If you get two
or more responses for every one sent (ie magnification), then
you have hosts sharing addresses.
Next, with etherfind you can filter for the source host being
your magnified ip address and choose only ICMP packets and set
it for extremely verbose output. This way you can determine
the physical addresses of the hosts with the same ip address.
----------------------------------------------------------------------------
there is a very useful public domain tool called arpwatch which detects
changes in ethernet addresses and I think in IP addresses also:
ftp://ftp.ee.lbl.gov/arpwatch.tar.Z
arpwatch uses libpcap:
ftp://ftp.ee.lbl.gov/libpcap.tar.Z
As far I remember, the usage of duplicate IP addresses and the corresponding
ethernet addresses of active hosts are usually listed in /var/adm/messages .
----------------------------------------------------------------------------
You can try this:
In one window execute snoop (tcpdump for SUNOS) and pipe it into some
sort of grep call (or no grep at all if you wish).
Next, in another window ping the IP address. You can watch snoop give
you details about who replys to the ARP-request when you ping. There
should be an ethernet address listed. You may have to set a flag in
snoop to list ether addresses. Im sure its in the man page.
(note: sometimes if the IP and ether is already in your arp cache no
arp-request will be performed. arp -a lists the arp cache. There is a
flag to clear the cache.)
----------------------------------------------------------------------------
arp displayes the ethernet addresses chached in the kernel so to discover
an ethernet address you should first ping it.
$ ping <ip_address>
<ip_address> is alive
$ arp <ip_address>
<hostname> (<ip_address>) at <ethernet address>
if you suspect two machines using the same IP address then arp may show two
MAC addresses for the same ip or to be really sure try this
$ ping -sv <ip_address>
If you are correct you will see twice as many ping responses, then try:
$ arp -a
Which will dump the entire arp cache table which will show the MAC address of
the machines. Look for repeating IP addresses.
----------------------------------------------------------------------------
Just use "arp ip_addr" - if it returns without an ethernet address, ping
that address, then arp it. Remember to turn off your Sun before doing
this, or it may be that you'll get it instead of the rogue. If you have
tcpdump, you could try watching for packets from that IP address and
without the known ethernet address.
Check with your network administrator - your bridges/routers may be
capturing this information already.
----------------------------------------------------------------------------
Try this:
1. ping the host or IP address that you are interested in.
2. arp -a | grep host_or_IP_address
You will see the Ethernet address of the machine that responded to the
ping. You will not see every host that is using that address, but only
the one that responded. If this is the Ethernet address that you are
looking for, then you're done with arp. If not, you will have to keep
trying until the _wrong_ machine responds again. Before trying again,
you should delete the arp table entry for that host (arp -d hostname).
If you want to prevent the correct host from responding, just shut it
down during the testing.
----------------------------------------------------------------------------
on sunos you'll get a console message (also logged in /var/adm/messages) if
someone's using your ip address. It will be of the form:
cwadm1 /usr/local/track/STD/Slists 68$ strings /vmunix | grep -i duplicate
duplicate IP address!! sent from ethernet address
----------------------------------------------------------------------------
Rawle
-- ******************************** Rawle Gibson Release & Tools Engineer Sybase Canada Ltd. Email: rawle.gibson@sybase.com ********************************
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:57 CDT