Interesting. I experienced a situation recently where a device was
experiencing network problems. Realised it was probably a duplicate ip.
Used the interface traffic query to see multiple MACs active
simultaneously for the same ip. Turned out that NAT had been enabled on
a router for an existing ip, effectively stealing that address :-)
Two reports/events would be useful:
1. Multiple MAC for same IP.
2. Multiple IP for same MAC.
This would allow detection of duplicate ip and also the appearance of a
possibly new router.
It would be great if it was tied into the event stuff, as opposed to
being a static/daily report.
Tim:>
--- neil mckee <neil.mckee@inmon.com> wrote:
> Les,
>
> This report has not been put together yet, no.
>
> It's a little tricky because you have to ignore all the MAC addresses
>
> that belong to interfaces that are routing, since the same IP
> addresses will often appear over those MAC addresses quite
> legitimately. Fortunately the traffic server maintains a list of
> MAC addresses that appear to be acting as routers, and stores them in
>
> the file /usr/local/inmon/server/state/routers.txt. These are the
> ones that are ignored when it is constructing the address-mappings
> (see addressMap.txt in the same directory). A script could read
> these router MAC addresses in and use them as a filter...
>
> To get the raw data feed of which IP addresses are currently
> appearing over which MAC addresses you could either:
>
> 1. use Server->Forwarding to copy all the sFlow to another UDP port
> (e.g. 7343) and then run "sflowtool -l -p 7343", or
> 2. make a query to the minute-by-minute database in traffic server
>
> If your script can keep up with the raw feed from "sflowtool -l" then
>
> I think that would be ideal, because it will be down to 1-second
> time granularity.
>
> If the script cannot keep up then you could adapt a query script like
>
> this one to get the raw data in a manageable format:
> http://www.inmon.com/sample_scripts/duplicateIP.pl
>
> For another approach, you could make an analysis of the
> addressMap.txt file to throw up a list of possible candidate
> duplicate IPs. That should narrow it down a lot. Then you could
> filter on those to see if any of them are flipping back and forth.
>
> Sorry there's no shrink-wrapped solution. We should really add this
>
> to the product.
>
> regards,
> neil
>
> ----
> Neil McKee
> InMon Corp.
> http://www.inmon.com
>
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
Received on Fri Sep 30 06:15:17 2005
This archive was generated by hypermail 2.1.8 : 09/30/05 PDT