Michael Hill <Hill.Michael@tci.com> very kindly sent me his "port-probe"
utility, which worked very nicely despite M.H.'s disclaimer that the
program isn't yet ready for general release. If anyone else wants this
program, they should apply to Michael Hill, not to me.
Daniel Kluge <danielk@tibco.com> suggested: First ping the network's
broadcast address, then use "arp -a". He pointed out that this method
"gives you all stations, even those that do not send data at the
moment."
Both of these suggestions applied to the first part of my problem, i.e.
finding the bad guy on the LAN. I still don't know what to do about the
second part; "snoop" is still aborting on me.
THE QUERY:
+ The original problem: Someone attached a host to our LAN, at IP address
+ 192.168.0.76, without consulting us sysadmins. Among other approaches, I
+ tried monitoring that host's traffic with "snoop".
+
+ The secondary problem: When I tried to use "snoop", it aborted. Here's
+ the evidence:
+
+ >> snoop -c 100 -o snoop.192.168.0.76 192.168.0.76
+ Using device /dev/le (promiscuous mode)
+ 100 snoop: 100 packets captured
+ >> snoop -v -i snoop.192.168.0.76 >snoop.report
+ Segmentation Fault(coredump)
+ >> ls -l
+ -rw-r--r-- 1 fpardo other 309376 Sep 8 14:48 core
+ -rw-r--r-- 1 root other 14124 Sep 8 13:33 snoop.192.168.0.76
+ -rw-r--r-- 1 fpardo other 8192 Sep 8 14:48 snoop.report
+ >> wc -l snoop.report
+ 283 snoop.report
+ >> tail -13 snoop.report
+ ETHER: ----- Ether Header -----
+ ETHER:
+ ETHER: Packet 7 arrived at 12:58:24.73
+ ETHER: Packet size = 60 bytes
+ ETHER: Destination = 0:0:f8:75:55:ef,
+ ETHER: Source = 0:a0:c9:6f:a8:27,
+ ETHER: Ethertype = 0800 (IP)
+ ETHER:
+ IP: ----- IP Header -----
+ IP:
+ IP: Version = 4
+ IP: Header length = 20 bytes
+ IP: Type of service
+ >> uname -a
+ SunOS admin 5.4 generic sun4m sparc
+
+ I copied the file "snoop.192.168.0.76" onto a machine running 5.5, and
+ got a segmentation fault there, too. No Sun patches have been applied on
+ either of these two systems.
+
+ So I have two questions:
+ In general: How do I track down a rogue host on my LAN?
+ In particular: How do I keep "snoop" from aborting?
+
+ If anyone can help with either of these, I'll be very grateful indeed.
+ I've looked in a number of places, including the summary archive of this
+ list, with no luck so far.
-- Frank Pardo <fpardo@tisny.com> Transaction Information Systems New York CityChi fila ha una camicia e chi non fila ne ha due. -- Italian proverb