Quickly find a local area network poisoned computer

In the LAN environment, friends who surf the internet often encounter unwarranted disconnection, and check the computer can not see what the reason. In fact, this is the case, most of the local area network is a computer infected with the ARP type of virus. Infected with the virus, computer one by one antivirus, the computer is too many circumstances obviously very time-consuming and laborious. Now tell you these three strokes, quickly find the "cancer" in the local area network.

Tip: Arp:address Resolution protocol abbreviation, Address Resolution Protocol. ARP is responsible for converting the IP address of the computer to the corresponding physical address, that is, the MAC address of the NIC. When ARP spoofing occurs, the associated host receives the wrong data, causing the network to break down.

First, view the firewall log

LAN in the computer infected with ARP type virus, generally from the log of the firewall can initially determine the host infected with the virus.

The typical feature of a virus-infected machine is that it emits a lot of data packets, and if you can see a large number of packets from the same IP in the log, this machine is probably infected with the virus.

Here to Nokia IP40 Firewall as an example, access to the firewall management interface, view log entries, "Event log" under the label can be clearly seen in the intranet there is a machine constantly have packets blocked by the firewall, and the interval between the time is very short. The destination address is the extranet IP address of the corporate Web server, and the Web server is specifically protected when setting the filtering policy, so you can see that the items are all marked red (Figure 1).

Figure 1

The packets to the Web server were intercepted, and what about the packets that did not intercept? Naturally, the destination is reached, and the "purpose" host will naturally be disconnected.

Because of the use of the internal network of the DHCP server method, so only know the IP address is not used, you must know the corresponding MAC address to find the source of the virus. We can use Nbtscan to find the corresponding MAC address of IP. If you know the MAC address, you can also use Nbbscan to get the IP address (Figure 2).

Figure 2

This shows that the firewall log, sometimes can help a bit busy.

Tip: If you don't have a professional firewall, you can also see similar reminders by installing software products such as Skynet firewalls directly on a client computer.