On 28/09/2004, at 1:25 PM, Ted Mittelstaedt wrote:
or use a tool like arpwatch that is specifically designed to let you know when MAC/IP relationships change on your network.
You don't even need to do that - any router on the network is going to log
the MAC address because they will see the arp change, as will the other
servers.
yeah, of course they'll see the change. but what will they do about it? update their internal ARP table and that's about it, unless they're smart enough (and correctly configured) to do more. arpwatch is simple to install and will notify you straight away when things happen that might need your attention.
you log the MAC addresses of all the fixed workstations in the school, then when one of them starts doing the wrong thing you know *exactly* where to go to nab the culprit.
How, exactly? Do you think that he has a list of all MAC addresses on the
network and who is using them?
the educational institutions I've worked in tend to be pretty anal about having a database of what computers they own and where they're located - something to do with stopping people from walking off with their assets. if your vendor is good they'll provide the machine MAC address along with the serial number and amount of installed RAM. if not then there's some walking to do. spend half a day and document the fixed machines on the network.
Getting the MAC address is not the problem. Finding it on what is
essentially
a completely flat network is. You need managed switches for this so you can
see what port the offending MAC address is on.
now you're assuming that there's documentation as to what ports come out at what wall points, and that there's not still a lab full of dead-ass old machines sitting on 10Base2.
If it's not one of the fixed workstations then you've got a bit more work to find the kiddie, but it's nothing insurmountable.
Unless of course the kiddies are using made up MAC addresses like BADBEEF, DEADBEEF, CO1DCOED, and such.
I'm assuming here, having worked in uni computer labs and seen this sort of crud being done, that what's happening is someone is changing the network settings on a PC... I don't recall seeing a text field next to the "enter your IP address" box that says "enter your MAC address"...
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
