Nodes and IP address

Nodes and IP address

Post by acruxi » Wed, 12 Mar 2003 16:55:54



Hi,
On a switched network, and given a DHCP-assigned
IP address, how do you figure out which node
sent a particular frame? What if the offending
node is offline/gets a new lease with a spoofed
MAC address/sends a packet with a spoofed IP?

TIA

 
 
 

Nodes and IP address

Post by Frank Sweetse » Tue, 18 Mar 2003 00:06:52



> Hi,
> On a switched network, and given a DHCP-assigned
> IP address, how do you figure out which node
> sent a particular frame? What if the offending
> node is offline/gets a new lease with a spoofed
> MAC address/sends a packet with a spoofed IP?

Well, first off, what does a switched network have to do with this?  All of
the same spoofings are just as possible on a shared network as a switched
network.

And secondly, if you can recieve the frame, just look at the source ether
address, assuming that that wasn't spoofed too.  If it was spoofed, then you
will have to walk through the FDB on each switch until you find what physical
port the spoofed ether is appearing on.  Once you have that you can trace the
physical cable to the offending machine.

--
Frank Sweetser fs at wpi.edu
WPI Network Engineer

 
 
 

Nodes and IP address

Post by acruxi » Fri, 21 Mar 2003 14:13:03




>>Hi,
>>On a switched network, and given a DHCP-assigned
>>IP address, how do you figure out which node
>>sent a particular frame? What if the offending
>>node is offline/gets a new lease with a spoofed
>>MAC address/sends a packet with a spoofed IP?

> Well, first off, what does a switched network have to do with this?  All of
> the same spoofings are just as possible on a shared network as a switched
> network.

> And secondly, if you can recieve the frame, just look at the source ether
> address, assuming that that wasn't spoofed too.  If it was spoofed, then you
> will have to walk through the FDB on each switch until you find what physical
> port the spoofed ether is appearing on.  Once you have that you can trace the
> physical cable to the offending machine.

hm...let me explain my scenario in more detail:
- machine spoofs ethernet address
- machine asks for IP address
- DHCP server links IP address with ethernet address
- machine sends packets with assigned IP address and spoofed
MAC address
- machine goes offline
- machine reverts to original MAC and gets new IP address
- spoofed MAC is never used again

Given this scenario, how do we trace which machine sent the spoofed
packets, if its possible?

TIA