Dear gurus,
as you may remember I asked our guru community about the way to
identify which network hardware was wrongly setup to send the following
message across the whole network.
> Mar 9 16:45:37 infos1 vmunix: arp: illegal IP address 255.255.255.255 is used by
> hardware address 08-00-5A-09-69-A7!
I've been lucky: a user went to the netadmin complaining that his
network printer did'nt work anymore. It did loose its addresses and
that was the reason of the illegal address. The setup of the printer
stopped my problems.
Here are the answer I got from gurus (I did'nt check any of them):
Jim Belonis <belonis_at_dirac.phys.washington.edu>
If you have 'smart' hubs which talk the SNMP protocol, then you can
probably use software to inquire. If you don't have the software already
running, I would assume you went cheap.
If you have the cheapest dumb hubs, then you can
partition the network with a bridge
and do a time-consuming and inconvenient binary search.
I.e. partition the network, see which side of the bridge the bad machine is on,
then partition the bad side, until you narrow down the location
to the right hub.
Alternatively, you can turn off machines or hubs one by one
(maybe if your network is idle at night ?)
until the message goes away.
It is also possible you can construct an ethernet 'packet of death'
that will kill the machine with that hardware address (if you know it is
a PC running a particular operating system).
Such programs are rife in the hacker community.
Even something like 'spray' on a SunOS machine may be able to overload a PC
by sending huge numbers of large packets to it.
Then just wait for someone to complain about their machine always dying
or being real slow.
"Richard Eisenman" <eisenman_at_tricity.wsu.edu>
If your machine is setup with SNMP, and the necessary variables are set,
there are a number of software packages that can give you that information.
If you're running switches, you can get the info from them, but it's trial
and error as to which switch is involved. The router's arp table should
show you the subnet it's on.
Stefan Albert <Albert_at_staedtler.de>
I think you have DEChub 90 or 900. You can obtain MAC addresses from the "backplane" of the
HUB90 via the console,
and from the HUB900 via clearvisn software.
HUB90:
You must know the MAC address of the bridge in your HUB90. If you don't have a bridge in it,
there is no way to obtain MAC infos from HUB90.
ccr -c SVA-0 -h 08-00-2b-28-d2-a1
where SVA-0 is the circuit - change if needed
where 08-00-2b-28-d2-a1 is the MAC address of our DECbridge90
then type
SHOW ADDRESS
and you get a list with MAC ADRS connected to each DECrepeater90C.
Then you have the segment (better cable) where this MAC is homed.
I don't know the commands for the TP Repeater - we don't have one.
HUB900:
I think you must walk thru each port and in the datails list there is a button for the
inquiry of the addresses.
Of course: In both methods the Node must be up and running, no packets, no detection.
Addition for HUB900 and VNswitch:
In a telnet session or direct on the console port:
monitor
prot bridge
list data all
"Robert L. McMillin" <rlm_at_syseca-us.com>
If this is happening frequently enough, you can try a binary search by
disconnecting hubs until the message goes away. My guess is that it's a
misconfigured IBM PC running Win95 or NT. We had problems like this too
with a Gateway that thought it was on another network; one of our
routers picked up its ARP broadcasts and started dialing one of our
customers -- in Cleveland. This got expensive, fast. (We're in Los
Angeles, on the Left Coast.) I ended up disconnecting the hubs one at a
time from the company backbone until the problem went away, then I did a
binary search on the hub ports 'til I found the offending machine.
Chad Price <cprice_at_biocomp.unl.edu>
Can't beat a network Sniffer - hardware, and not cheap, but it tracks it
down and can give you the IP number/name and then you are home free
(assuming that you have a reasonable inventory of what you have).
"Stuart Davidson" <stuart.davidson_at_eurocontrol.be>
If it's ethernet and you have repeaters you could use hubwtach to
search for the mac address
"Biggerstaff, Craig T" <Craig.T.Biggerstaff_at_USAHQ.UnitedSpaceAlliance.com>
The arp command only identifies MAC addresses on the subnet to which
your system is connected. So I would expect you can isolate it to one
of the seven subnets that way. If that is not enough, you can probably
connect a terminal to the Cisco router and have it tell you the MAC
address connected to each port.
--
Emanuele Lombardi
mail: AMB-GEM-CLIM ENEA Casaccia
I-00060 S.M. di Galeria (RM)
ITALY
mailto:lele_at_mantegna.casaccia.enea.it
tel +39 6 30483366
fax +39 6 30483591
Received on Tue Apr 07 1998 - 13:02:28 NZST