Case one: User host location
In the morning of Monday, network administrators received a lot of complaints from users after work. The network administrator detects the routing of its port and finds bandwidth congestion.
Since there is no WAN traffic monitoring tool, and no access to the router, can not know the traffic categories and data sources on the WAN, the first 100 megabytes in the router for traffic analysis, which need to set the switch mirror port. In this way, he found that there are a number of unknown IP source address, from a Mac to outsource. The initial estimate is that the machine is in the virus.
But how do you locate the source? Since this network administrator does not have the MAC address of each employee network card, it chooses the isolation method, from the core switch, one one to unplug the lower switch. This method, relatively fast but the impact on the user is relatively large, in the process of diagnosis, resulting in a lot of normal users are also affected; in the case of broken network will cause more users of complaints. If you can log on to the console of the switch, you can find the location of the poisoned MAC address by locating the user Address table for the switch port.
Some intelligent management platform/tools (such as ciscowork) can provide some help, but the OPV network, ES network, etc., can also provide users to exchange path tracking, directly report suspicious MAC address connected to the nearest switch port. If you do not have access to the network switch management console, the ability to even mirror the port is not.
Another way is to use the Online interface box (TAP) to separate the flow of a link, connected to the Flow Analyzer or protocol analyzer, such as the OPV Network Analyzer or ES network pass. OPV Network Analyzer or ES network pass.
Traceswitchroute Report of ES Network pass
Through the above method, the network administrator found a link to the poisoned machine direction of the network cable, through the experience of network administrator know the user probably belong to which department, next to find out who the user and antivirus.
In order to solve the problem as soon as possible, the network administrator isolated the machine, and then one by one to check the relevant department staff, their machines can be online. The location of these hosts is finally found. This method requires no tools, but the user's machine does not have access to the Internet, the user is not necessarily in the seat, may do other things and delay the search work. Therefore, this approach is not necessarily the best.
A more insurance approach is to use the audio generator and probe, cable tracking technology to match the above method, to connect the various host network cable for audio tracking, find the location of suspicious machines. Because the NIC is with terminal resistor, the audio signal of the general use of analog technology audio generator will be absorbed or destroyed, and the Intellitone network company's Intelligent digital Audio detector, using innovative digital technology, can work in this environment. ES Network pass can emit digital audio, and Intellitone with the probe to work together.
Using intelligent data Detector to find cable