RogueNodes

back to http://scratchpad.wikia.com/wiki/Sasecurity

Rogue nodes, ARP, MAC, ICMP and SIGSPY  With many laptops, you must set the file system type to LBA in BIOS to   get Linux to work. Even some desktops require it. YMMV 

 >We have in interesting problem that appeared a couple of days ago.  >I noticed that the ICMP traffiw was getting a little high so I build a  >ram disk and installed iptraf to see what was going on.  >After running up iptraf I could that someone had assigned themselves a  >static IP and appeared to be pinging the network pretty hard, I'm not  >going to rule out the possibility that they are infected with a virus  >but the simple fact is they have chewed through a far wack of  bandwidth. 

>On doing an ARP I found their MAC address and did a sigspy so as to  >estimate where they may have been. but was not really able to get a  very >good idea. It then occurred to me that SIGSPY is a passive signal level scanner <BR> and I was wondering if it would be possible to set up a separate machine <BR> and use sigspy to triangulate the location of the offending system. I had <BR> tried to install knoppix on my system but for some reason my laptop <BR> fails to load it. What would be nice is a bootable CD that has the relevant tracking <BR> tools so as to sniff the packets and requests from a client and look at the <BR> relevant signal levels. has anyone come across such a system? <BR>