Question about unix server

Guru · 10 Sep 2007 at 12:35

My dad just phoned me up and asked me a weird question.

He said "You know the ping command?" "can you use it to see someone's IP address if they are connection through a hub? Cause at the moment I can only get the hub IP"

Basically he is connecting to a unix server, and he wants to find out who is connecting to it through a hub using a particular user. But he doesn't know how.

I don't know either, in fact I don't know why he asked me LOL he's the IT Analyst, not me

For clarification, he is not connecting through the hub, he is connecting directly.

Cheers,

G

Una · 10 Sep 2007 at 14:34

I'm not exactly sure what your getting at here,

'w' will tell you which users are currently logged into that box.

netstat -an can give you more information on current connections.

arp -a should give you the ip of the hub.

Using those tools you should be able to work out what you need.

If I am understanding you correctly you could do a traceroute for each of the users currently logged in, then look at the interfaces it passes through on and see if that matches the hub which you are looking for.

Guru · 10 Sep 2007 at 14:54

Thanks for that information

I spoke to my dad again and he explained exactly what he is trying to do...

Basically, he is closing down some generic users on a server but he can see that someone is still using one of them, lots of people know the username and password so he can't be sure who is using it.

He needs to get in touch with that person and basically tell them they can't log in as that user anymore because he is closing it down and they will have to log in a different way in future.

He basically wants to get their workstation IP so he can check a list and find out which workstation it is so he can go talk to them about it.

When he checks the IP thats connecting to the server it just comes up as the same IP as always, which he assumes is the hub which this unknown user is connecting though.

He wants to find out the IP of the actual workstation, rather than the hub.

He said the information he's been given gets him a bit closer but not quite the result he needs.

Any more help would be much appreciated.

Cheers,

G

Una · 10 Sep 2007 at 14:58

I'm surprised 'w' gives the ip the hub and not the workstation currently logged in.

I guess one way to do it would be to log onto the hub and see what the current inbound/outbound connections are..

Guru · 10 Sep 2007 at 15:20

I saw your post with the pic before your edit and he is getting the same up when he presses w BUT his doesn't have the FROM column, so he can't see any IP on that screen.

When he does a who, it comes up with an IP but it's the hub IP.

He can't log into the hub even as root for some reason, it just wont give him access.

Think we are stuck now.

Cheers for you help though mate.

G

Una · 10 Sep 2007 at 15:51

What OS is this?

Guru · 10 Sep 2007 at 15:57

the ibm one, can't remember what he called it

Una · 10 Sep 2007 at 16:01

AIX?

You could load up a packet sniffer on the network segment (if you say its a hub not a switch) and work out which packets are destined for that server from which boxes. Wireshark will give the endpoints quite easily. Your likely to break every single rule on the network though

Easiest way would be to get into that hub.

Guru · 10 Sep 2007 at 16:08

Una said:
AIX?

Thats the one

Una · 10 Sep 2007 at 16:11

Guru said:
Thats the one

K sorry no clue then, only used it once or twice.

Guru · 10 Sep 2007 at 16:27

No worries mate

Thanks for you help anyways

rick827 · 11 Sep 2007 at 12:44

'who' should give you the IP of the end point, not the 'hub'. The only way its giving you the 'hub' IP is if a session was initiated from that device. Unfortunatly you cant 'netstat -b' in AIX like you can in Windows either..

Edit: Why not just give that user account a login shell explaining its being disabled etc..