One for the switch guru's

lude1962 · 5 Jul 2017 at 10:55

So offshore numpties are having a problem.
2 servers connected to a switch, one is broadcasting AV alerts, they have the ip's of the servers but only 1 server can physically be found.
Is it possible at switch level to check the traffic to the offending server via interrogating the switch using routing tables logs etc to see if it being actively used?

I think they're cisco layer 3 switches.

HoneyBadger · 5 Jul 2017 at 11:18

Just log into the switch and see what ports are up, eliminate the working server which will leave you the non working.

If you go to the working server, can you do arp -a from a DOS prompt (Assuming it's windows) and get the ip from that? Then try to ping it.

ChrisD. · 5 Jul 2017 at 11:58

What are you trying to achieve? Can you not just log onto the server itself?

I wouldn't want to debug at the switch level, you can overload the CPU and crash it. Much better to get onto the server itself and run Wireshark to work out what's going on or find out what program it is that's sending the alerts and interrogate it and its log files.

Liquidfox · 5 Jul 2017 at 12:13

If you know the MAC address of the missing server, just look for that in the ARP cache of the two switches. That'll tell you what port it's plugged into and then trace the cables back.

lude1962 · 5 Jul 2017 at 12:33

Can you not just log onto the server itself? - they dont know the login details (the one brodcasting av alerts)
That'll tell you what port it's plugged into and then trace the cables back - not possible multiple buildings/floors/rooms
If you go to the working server, can you do arp -a from a DOS prompt (Assuming it's windows) and get the ip from that? Then try to ping it.- the one brodcasting av alerts doesn't have a name but has ip address

I've suggested they disconnect the rogue server at the switch, the question (possibly badly worded by me) is can we deduce from connecting to the switch if the rogue server is active, ie lots of traffic to it?

varkanoid · 5 Jul 2017 at 13:01

If only one server can physically be found is it a Virtual platform ?

ChrisD. · 5 Jul 2017 at 13:49

You can log onto the switch and look in the ARP table to find the offending IP address. The ARP table should tell you which interface it knows the MAC address from, then show statistics on that port to find out how busy it is.

lude1962 · 10 Jul 2017 at 11:21

then show statistics on that port to find out how busy it is.
this what I was after, thanks