Tracking Down a Computer Address Over a Network

So, you want to track down some fool on the network who's spreading a virus (or downloading music, or whatever else).

Let’s, for the sake of this article, assume there is a machine infected with Code Red on your network somewhere...

Your handy dandy packet sniffing is seeing a whole bunch of these packets lately looking like:

GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3

Being the insanely brilliant mind that we are, we of course immediately recognize this pattern as a Code Red attack, quickly put on our cape, and leap into action!

We will assume you are able to cut through the red tape to have access to the Cisco switches your network is running on.
(If you do not have Cisco equipment, the theories will still apply, but not the commands listed. RTFM!)

Your sniffing logs gave you a MAC address, but no more detail...never fear! Cisco is here!
Login to the Switch (just telnet to it) [I hope you have it documented somewhere what the IP addresses are for these expensive little toys]

You can now check the MAC address tables to see if the device is right there.

We should always begin with the core switch, (The one that all of the others are plugged into) and work our way out. (Mainly so we don’t forget where we are in the network at the time)

Showing the whole table is probably a bad idea...you will see everything that has been directed through that switch. (a lot of unhelpful stuff here.)