TheGeekery

The Usual Tech Ramblings

Tracking the Rogue IP Address

Digging up an old post today, I helped my wife figure out why her office A/C system couldn’t be managed properly. Apparently their system connects on a specific IP address, and it wasn’t responding. It was surmised that it was caused by some work I had done fixing one of the other machines a few months ago. But after some quick digging, turns out it wasn’t. Apparently their “consultant” had a device on the network for VPN, firewall, etc, which had the same address on it. How it got the same, we don’t know, but here is how we figured it out…

From a server on the network, we pinged the IP address that the A/C system was supposed to use.

1
2
3
4
5
6
7
8
9
C:\> ping 192.168.1.200
Pinging 192.168.1.200 with 32 bytes of data:
Reply from 192.168.1.200: bytes 32 time=1ms TTL=21
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.200:
  Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

This showed us there was a device alive with the address, but it was being bumped off, probably due to fighting with the A/C unit. Next was to figure out what the device was. This required the MAC address of the device. To get that we needed ARP, or Address Resolution Protocol1. Essentially, with the little known information about MAC address, we can figure out who made the NIC card installed in the device conflicting. This can help us clue in to what kind of device is causing the issue. We get the information using the following:

1
2
3
4
5
C:\>arp -a

Interface: 192.168.1.2
  Internet Address        Physical Address          Type
  192.168.1.200           00-09-0F-##-##-##   dynamic

Now we have the IP address, and the Physical Address, or the MAC address. Okay, those numbers don’t mean a whole bunch to some people, but the IEEE (Institute of Electrical and Electronics Engineers) keeps a register of who owns what MAC address.

Using the IEEE search page we entered in the first 3 octets (the ones above not masked with ##). This came back with a device registered by Fortinet Inc. A quick look up, and we saw a FortiGate device, which is made by FortiNet. An appliance device that does VPN, Firewall, spam filtering, web filtering, and all types of other fun stuffs.

This isn’t the only way either. There are other ways too, especially if you have access to the switches, and they give you handy commands like the Cisco’s do, and then you go do stuff like this.

Now the wife has to get in touch with the “consultant” to figure out why it’s using that IP address, and how to correct it.


  1. More details on ARP can be found [here][2] as I won’t go into the boring details of ARP

Comments