Finding MAC

[Avertive]

I'm seeing address spoofing events in the NG (SPLAT R55) log from an address range I'm told is used for server factory default (for imaging via network: 169.254.x.x). I'm also seeing DHCP requests. Based on this evidence, my thoughts are I have a misconfigured server with a DHCP enabled interface that needs to be shutdown (or assigned a static IP).

To assist server admins in finding the misconfigured box, I'm trying to track down the MAC address used in these netbios broadcasts. Without knowing the MAC, it's almost like finding a needle in a haystack.

I first played around with query options within tracker, but was disappointed to find out MAC information is not logged. I then tried a tcpdump, but then concluded I wasn't seeing any packets despite growing logs because the broadcasts were being dropped by NG before tcpdump could hear it. I then thought to try fw monitor, but I've just read that MAC information cannot be captured this way.

Unfortunately I don't have another *nix system in this particular network (if that wasn't already obvious as I'm trying to debug a netbios problem :P), so am really runnin out of options on how to find this MAC address. Anyone have any ideas of what I might try?

I suppose I could do a cpstop and then run the tcpdump (network is still in pre-production), but I'm looking for a less intrusive means.

Thanks!

[Lackie]

tcpdump should capture the traffic before CheckPoint sees it and drops it. Otherwise you can also install winpcap (capture program for Windows) and use that the same way on the internal network listening for the IP address.

[czech12]

Is the server on a network that is directly connected to the firewall? If so, just try to run an "arp -a" on the firewall. If not, try to run the same command on the switch that the server is connected to.

[Avertive]

This is the oddest thing...my log files continue to grow showing the dhcp traffic (no IP as source, 255.255.255.255 broadcast as destination; udp/67) yet my tcpdump doesn't catch it.

This is what my dump looks like:
[Expert@fw1]# tcpdump -n -e -i eth1 udp port 67

I've also tried:
[Expert@fw1]# tcpdump -n -e -i eth1 host 255.255.255.255

The servers are connected to the same switch as the firewall, but listing the arp table via 'arp -a' won't tell me which MAC is doing the dhcp broadcasts.

I've just installed an IDS on this segment so should be able to track it down with it, although I really hoped I could with the firewall. I still baffled why my tcpdump doesn't see it. Any other ideas how the firewall might get this information?

[Lackie]

Not sure why your firewall isn't picking it up. Below is the same dump on my firewall:

bent[admin]# tcpdump -n -e -i eth2 host 255.255.255.255
tcpdump: listening on eth2
09:32:34.598163 I 0:c:29:a0:e0:ef ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 > 255.2
55.255.255.67: xid:0xd374203c [|bootp]
09:32:39.573633 I 0:c:29:a0:e0:ef ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 > 255.2
55.255.255.67: xid:0xd374203c secs:273 [|bootp]

Only thing I can think of is that I'm doing it on a Nokia.