Les,
My first impulse was the fan-out report, but here's what I came up with.
cd /usr/local/inmon/server/state
cat macLocations.txt | sort -t: -k 2,3 -n -r | cut -d: -f2,3 | uniq -c |
sort -r -n | more
this should give you an ordered list with the ports that have the most mac
addresses at the top.
you can verify by greping the agent and port from macLocations.txt. I'll
include a sample of what i found on my network. I was concerned that i saw
mac addresses with 7 in the vendor portion, but thankfully 0007e9 is Intel
per http://standards.ieee.org/regauth/oui/index.shtml
I'm guessing this may help you roughly home in on the multi-MAC ports, but
your milage may vary. I leave it to the inmon folks for something more
elegant or correct.
Kevin.
========================================================
theoracle.ucdavis.edu$ cat macLocations.txt | sort -t: -k 2,3 -n -r | cut -d: >
32 10.102.4.4:12
30 10.103.7.1:24
26 10.102.4.4:12
[Snip, Snip]
theoracle.ucdavis.edu$ fgrep 10.102.4.4:12 macLocations.txt | more
0800200E09D9:10.102.4.4:12:1136953590:57
0007E942DCCE:10.102.4.4:12:1136953590:57
0007E941D1BC:10.102.4.4:12:1136953590:57
0007E941D1C6:10.102.4.4:12:1136953590:57
0007E941D1CA:10.102.4.4:12:1136953590:57
0007E941D1CD:10.102.4.4:12:1136953590:57
0007E941D1D2:10.102.4.4:12:1136953590:57
0007E941D1D5:10.102.4.4:12:1136953590:57
0007E941D1DB:10.102.4.4:12:1136953590:57
[Snip, Snip]
========================================================
At 06:29 PM 1/17/2006 -0600, you wrote:
>We're a 2,700 student college. Since Christmas we've been battling
>intermittent network outages, somewhat resembling DoS attacks. About the
>time we thought we'd have the source isolated, the network would return to
>normal.
>
>We finally found what we believe is a potential source of problems. We
>found four, count 'em FOUR separate computers on our network which have
>multiple MAC addresses associated with their port on the switch they're
>connected to. In fact, one student's computer had 3,905 MAC addresses
>alone! The other three computers had fewer MAC's - like 600+ on one
>system and 300+ on another. One lowly CPU had only 67 MAC's.
>
>The digit '7' figures predominantly in the MAC addresses - which for the
>most part don't have a valid Manufacturer portion (the first six
>alpha-numerics) of the MAC.
>
>The computers on our Residential (ResNet) part of our network must have a
>"registered MAC" before they can get into a routable vLan. However, at
>least one of the computers was on our CampusNet - with the faculty, staff
>and about half the classrooms. We think that unit was the bain of our
>sanity.
>
>Has anyone experienced such a phenomena? Aside from poking into each
>individual switch on TrafficServer, looking at the IP and/or MAC addresses
>associated with a port (which is how we found the multi-MAC-personality
>computers), is there any type of report which can be used to find such
>IP-criminals?
>
>With over 230 switches and wireless AP's, it takes a TON of time to hunt
>and peck for them.
>
>Never seen such a thing before, hope we can get this critter lasso'd.
>
>Les Yaw
>Luther College
>Decorah, IA
Received on Tue Jan 17 19:20:53 2006
This archive was generated by hypermail 2.1.8 : 01/17/06 PST