> If you have RS/6000's you can do a fast ping from root:
> - ping -f x.x.x.x.
Ouch! Guess this works as a last resort - kinda high-impact.
If you have a protocol analyzer (even an inexpensive one, like
LanAlyzer), you may be able to locate which hub the offender is on by
moving the sniffer around and watching for the MAC address to change.
(You may also be able to obtain the offending MAC address from a router's
or host's arp cache)
If you are sniffing, you may be able to pick up the user name just by
watching the traffic.
You may also be able to determine the user name through other systems
once you have the MAC address:
Narrow down your hunt by determining the manufacturer of the interface
used by the offending system. This doesn't work if most of your systems
use the same NICs. Sometimes you can get lucky this way, though
(Nerd-o-dyne?? must be those lusers in the engineering lab again ...)
There's a list of assigned MAC address ranges at:
http://www.cavebear.com/CaveBear/ether-codes.html
Novell Netware makes it easy to track down a user based on MAC address.
Do a userlist /a > yourfile, then search yourfile for the MAC address,
and get the goober's name. Call them up and find out where they are. If
they configured their own IP address, this also makes it easier to shoot
them.
NETBIOS sends name registrations (anyone know how to querry the NETBIOS
name of a connection to an NT box?? Russ ??) which will give up a username.
Also -
On UNIX hosts: If the user is using telnet,
Use the sniffer to find out which port number >1023 is being used for
return of telnet packets.
Run netstat to find out the machine name the offender is connecting from.
Run who, locate the machine name, and find the user name connecting from
the machine name. Call them up, hunt them down, shoot them. If you're
having a really bad day, keep killing their processes, and wait for them
to call you. This is kinda like shooting over bait, though.
>
> better ideas:
> - If you have a router between buildings filter on that IP address only.
>
Um, maybe. If the IP addresses are the same, both the legit and offender
will be on the same segment, and both will be shut down. This might
result in the offender calling someone for help. OTOH, it might result in
the offender switching to another IP address ... (Dammit, that's the
third time this week. Guess I'll try another number again ... Ping, ping
ping ... ahah - here's one nobody's using ...) AAARRGGHHH!!
> - Sniff the MAC address then block it at hubs at different points - you can
> even trace it down to an individual hub that way - divide and ping.
>
> - Turn off the legitimate node and do a traceroute and finger.
>
Finger generally won't find PCs, however, as most PC IP stacks don't
respond to finger.
> SickPuppy deserves a pat.
He might need one. I hear the dog-catchers are after his doggy butt ...
Maybe he sniffed the wrong crotch or pooped in the wrong yard ...
Later, dudes.
- r.w.
References:
|
|
