[c-nsp] Good way of finding unauthorized network elements/

Seth Mattinen sethm at rollernet.us
Fri Oct 30 15:07:49 EDT 2009


Scott Granados wrote:
> Hi all
> I have a general question.  I have a network consisting of about 20
> access switches and 2 core switches.  We have 3 access points that we
> manage but think someone might have brought in a linksys or DLink
> consumer device and plugged in.  (users, can't live with em, can't shoot
> em)
> Is there a tool or good method that could scan the arp table and look
> for Manufacturor ID bits so I could see roughly what's attached where? 
> Are there better tools in general or better methods of finding rogue
> elements that people may attach?
> Any pointers would be appreciated.
> 

Ah yes, as a student one of my jobs was to pinpoint such devices using
AirMagnet and hand them a nice letter about how it violated university
network policy and that they needed to use the campus managed access
points. Some of them were pretty creative about hiding even if you knew
what port they were on, and one (in a physics lab, of course) had some
fancy foil shielding to limit the footprint size and direction.

~Seth


More information about the cisco-nsp mailing list