LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-28-2005, 07:29 AM   #1
ivanatora
Member
 
Registered: Sep 2003
Location: Bulgaria
Distribution: Ubuntu 9.10, FreeBSD 7.2
Posts: 459

Rep: Reputation: 31
Discovering unknown host


The situation is as follows. Small network, all PCs are with fixed private IPs. For a couple of days I see strange IP showing in the server log's as doing port scans. It's number is from the same our network, but it isn't assigned to no one of the machines. How can I track down this host? Getting his mac address would be enough in that stage (wanna verify if that's completely new host, or existing one with changed IP). I try to figure it out with /sbin/arp -na, but it's mac address is already flushed out from the table. Anyone has another idea?
 
Old 04-28-2005, 09:00 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
i'd would suggest using a cron job, or watch to capture the arp tables all the time. if it's just a crude one off solution, i'd save them every 10 minutes to a dated file. easy.
 
Old 04-28-2005, 01:22 PM   #3
ivanatora
Member
 
Registered: Sep 2003
Location: Bulgaria
Distribution: Ubuntu 9.10, FreeBSD 7.2
Posts: 459

Original Poster
Rep: Reputation: 31
10 minutes.. but if the arp cache is flushing more often than 10 minutes I won't be able to capture it. What defines the arp cache flushing frequency?
 
Old 04-28-2005, 03:19 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
i've not a clue to be honest. this is where watch might be more handy, to save flooding out hundreds of identical files. or every minute save the output, diff it with the previous one, and append all changes to a single file. then replace the old one with the new one... all depends how long term this is and how much an "elegant" solution really matters.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Unknown Host BH_Exeter Linux - General 8 04-05-2006 02:44 PM
i m getting the error unknown host while im pinging with the host name gunjan thakkar Linux - General 2 12-14-2004 02:19 PM
Unknown Host <Linuxmachinename> / Unable to ping by host name nishi_k_79 Linux - Networking 4 11-01-2003 02:24 PM
Unknown host nishi_k_79 Linux - Networking 2 04-19-2003 08:45 AM
Unknown Host mainyeti Linux - Newbie 7 07-29-2001 07:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration