Re: [Hampshire] [OT] Track down a user by IP address

Top Page
This message is part of the following thread:
M+-+++\the complete thread tree sorted by date
MM.MMMMMKeith Edmunds at <-
MM\....MJames Courtier-Dutton at ->
Author: Hugo Mills
Date:  
To: Hampshire LUG Discussion List
Subject: Re: [Hampshire] [OT] Track down a user by IP address

Reply to this message
gpg: failed to create temporary file '/var/lib/lurker/.#lk0x56e6e100.hantslug.org.uk.19780': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Tue Oct 2 12:32:19 2007 BST
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Tue, Oct 02, 2007 at 12:07:19PM +0100, Tim wrote:
> I need some help tracking down a user on our network at work. I know the
> current IP address (when I block it they change it) and I know the PC name,
> but apart from that I have not been able to find out much else.
>
> The reason I want to know who it is, is due to excessive bandwidth useage of
> the internet connection (read 1gb a day). Its a windows network
> unfortunately, I think I know who it is but I need to prove it. A quiet
> warning won't work as he already had a verbal warning.
>
> Anybody with more experience help me track this user down.

If you think you know who it is, and merely need to verify the
identity of the box he's using, you can probably find out their MAC
address by plugging a Linux machine into their network segment,
pinging their machine, and examining the arp table on the Linux box.
This will give you a MAC to IP mapping, and you can then seize their
hardware and look at the MAC, at which point you have them.

Failing that, then you should be able to use something like
wireshark or tcpdump[1] (there's a tcpdump for Windows, if you need to
use it) to grab some of the offending traffic. This will have the MAC
address in it, with which you can confirm the identity of the machine
in question.

If this person has a machine plugged into some random network port,
and you don't physically know where they are, then you'll need to get
into the monitoring facilities of your switches to find which port
that MAC address is connected to, and then trace cables. If you're
using unmanaged switches, then ping to the machine, and trial
unplugging of network ports for a few seconds at a time will have to
do.

Hugo.

[1] Note that intercepting traffic using tcpdump *may* be a problem
with respect to the RIP and/or Computer Misuse acts. You should check
that at minimum the company's rules on monitoring the network allow
you, as a sysadmin, to intercept network traffic without first
informing the user that you are doing so. I am not a lawyer, this
doesn't constitute legal advice, etc, etc, etc...

--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- Startle, startle, little twink. How I wonder what you think. ---
This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] [OT] Track down a user by IP addressRe: [Hampshire] [OT] Track down a user by IP address->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)