LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Discovering unknown host (https://www.linuxquestions.org/questions/linux-security-4/discovering-unknown-host-318015/)

ivanatora 04-28-2005 06:29 AM

Discovering unknown host
 
The situation is as follows. Small network, all PCs are with fixed private IPs. For a couple of days I see strange IP showing in the server log's as doing port scans. It's number is from the same our network, but it isn't assigned to no one of the machines. How can I track down this host? Getting his mac address would be enough in that stage (wanna verify if that's completely new host, or existing one with changed IP). I try to figure it out with /sbin/arp -na, but it's mac address is already flushed out from the table. Anyone has another idea?

acid_kewpie 04-28-2005 08:00 AM

i'd would suggest using a cron job, or watch to capture the arp tables all the time. if it's just a crude one off solution, i'd save them every 10 minutes to a dated file. easy.

ivanatora 04-28-2005 12:22 PM

10 minutes.. but if the arp cache is flushing more often than 10 minutes I won't be able to capture it. What defines the arp cache flushing frequency?

acid_kewpie 04-28-2005 02:19 PM

i've not a clue to be honest. this is where watch might be more handy, to save flooding out hundreds of identical files. or every minute save the output, diff it with the previous one, and append all changes to a single file. then replace the old one with the new one... all depends how long term this is and how much an "elegant" solution really matters.


All times are GMT -5. The time now is 09:30 AM.