Find the root cause of IP address conflict

Recently, the company has experienced ip address conflicts because the company has manually specified ip addresses and bound ip-mac on the route ). Xx department came to me directly, saying that the IP address was in conflict and the internal server and communication tool rtx could not log on, but they could access the internet. I went directly to his host and found the mac address corresponding to the conflicting ip address in the System Log: 002.16c.29.fc.fc.15. while the mac address of his host Nic is 48.5b.39.35.33.42. the conflicted ip address is 192.168.0.148. because it is not on another host, if you want to view the system log:

Right-click "my computer" and choose "manage". Find "Event Viewer" and click "system.

 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0341104150-0.jpg "/>

 

First, you have to look for him to work first. I first went to the rtx server and their server to map his ip-mac. Isn't it dynamic learning? I'll designate it statically, you don't need to send an arp request to the mac address. The command is:

"Arp-s 192.168.0.148 48.5b.39.35.33.42"

OK, I can work, but my work is not finished yet. I have to find out the ip address tampered with by the host. First, check that the mac address is "002.16c.29.fc.fc.15, it turns out to be a virtual machine. This is very troublesome. It may be a virtual machine or a forged mac address, but it is not reflected by other hosts, it is not an arp spoofing problem. Open Wireshark and enter "ethernet address eq 650) this. width = 650; "onclick = 'window. open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "src =" file: // C:/release E ~ 1/ADMINI ~ 1/LOCALS ~ 1/Temp/moz-screenshot.png "/> 0020.c.29.fc.fc.15"

 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0341105139-1.jpg "/>

 

Sure enough, the host is still responding to the arp request. From the result of nbtstat-a 192.168.0.148, we can see that it is still 002.16c.29.fc.fc.15. In the view of the captured packet, I am very skeptical that it actually acts as a dhcp server, assigning IP addresses to a host does exist. Of course, this host is very suspicious)

 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0341105P7-2.jpg "/>

Of course, I can't directly find this virtual machine, because the company's switches are all dummies, and I cannot find this source interface through mac-address-table. If the device supports viewing the mac address table, it is easy to find the machine with the ip address tampered. Here I want to virtualize:

1. Three major functions of the switch: frame acceptance and forwarding to prevent loop and address learning. Here we can use frame's acceptance and forwarding and address learning. When the switch receives the packet sent from the host, it will put the source mac address and the received interface into the mac-address-table. Of course, if it is static, it will not be learned ), check the destination mac address. If the mac address table does not have the mac address, execute the flood action. We can easily see that the problematic mac is received from that interface.

2. Since you know what is received from an interface, you can directly shut down the interface.

3. Ask the person to take the initiative to look for you.

Someone may ask, if the mac address is forged and does not exist or often changes, it is actually very easy. You just need to check whether the mac address learned from that interface has changed. For example, you have a host with a mac address. It corresponds to one interface for multiple mac addresses, either the interface or the trunk mode, or the device is private. If there is no private device, you should know the result.

 

This article is from the "Chao Hua Xi" blog. For more information, please contact the author!