The situation is this: there is a wired local network with static ip-addresses, and someone connects to it from his personal laptop at another's ip-address from an unknown place within the building. Is it possible to determine the wire used by this intruder to enter?

  • If the known ip, then you can find out the MAC address. And knowing the first 3 bytes (6 characters, not counting the colon), you can determine the model of the motherboard. It is possible that this will be enough. - KoVadim
  • @KoVadim and if he hides it in his pocket? - Sergey
  • in the pocket with the wire? such a person is easy to calculate :) - KoVadim
  • @KoVadim is easy to calculate, it's difficult to get into your pocket. - Sergey
  • And do not need to go into your pocket. Just block the Mac on the router and enjoy. But if this is a company, then everything is easily solved by administrative methods. - KoVadim

1 answer 1

I'll write the answer, because I'm afraid the comment will not fit. It is necessary to clarify some points.

Options that come to mind
1) Pull the wires out of the hub | switch and wait until the attacker comes running to complain: "I have lost the internet connection."

2) Also pull the wires out of the switch hub | And ping an attacker before disconnecting, after disconnecting and after connecting the cable.
If he uses someone else’s address, then someone else’s computer may be pinging. In general, an address conflict would have to occur and neither the attacker nor the one whose address he had captured would normally work. But anything can happen. In addition, the attacker can block the ping.
In addition to the ip-address, each device has a MAC address. And each network device stores a table of correspondence between MAC and ip addresses with which it communicates - the table arp. Almost all operating systems have utilities for viewing and editing this table. We need to look at the table and remember the MAC address of the attacker. Before each ping, the arp table is cleared. After ping, even if it does not work, the appearance in this table of the MAC addresses of the attacker is checked.
There is also the so-called arp-ping or arping, which "pings" not the ip-address, but the MAC immediately. On the Internet you can download.

3) If you are lucky - you have a switch with control, then you can view its switch table: MAC address -> switch port. Yes, with such a switch, some things can be stopped in the bud.

  • Thank. The third option is the most suitable. And there are switches with tables issued_ip-> switch port? - Bublik
  • @Bublik I do not know. Hardly. IP above the level at which the switches operate. Even if it is, it is something very special and expensive. Although maybe not exactly remember. Perhaps there are switches with a built-in dhcp server, but they can only know those addresses that they distribute themselves. And of course, managed switches have the same arp table as any device. But if I have access to it, I don’t know. - Sergey
  • Thank. It will be necessary to buy a switchboard with the management about which you wrote. - Bublik
  • one
    @Bublik is better then switch to IEEE 802.1X support right away - Pavel Mayorov
  • @PavelMayorov is a good comment. - Bublik