Are you running IDS/IPS on your firewall? That may identify the IP address and the threat and you can disable it from there.
Director of Technology
North Country Supervisory Union
121 Duchess Ave Suite A
Newport, VT 05855
(802)3345847 ext 2018
[log in to unmask]
From: School Information Technology Discussion [mailto:[log in to unmask]] On Behalf Of Dan Roswell
Sent: Friday, November 21, 2014 3:23 PM
To: [log in to unmask]
Subject: Re: BYOD - Identifying Trouble Computers on the Network
Once you get the MAC address from Wireshark, you can do the following:
Log onto your switch and ping the IP of the device that is broadcasting. On your core switch, run the "show arp" command (or whatever the command to display your arp table is).
If it's a desktop, this command will show you which physical port that MAC address is on. If it's an uplink to another switch, you'll have to do a show arp on that switch as well. Once you've found the switchport associated with that MAC, you can trace it back to your patch panel, and either tone it out or if you're lucky the port will be labeled. This should get you right to the wall jack, and it pretty easy to identify at that point.
If the arp is associated with a WAP, then it's likely a mobile device. The show arp command should at least show what point the device is on, and give you a smaller area to look at. You can always filter the MAC at DHCP or WAP level to disable the offending device. This will likely cause the person to fill out a helpdesk ticket and get identified.
From: School Information Technology Discussion [mailto:[log in to unmask]] On Behalf Of Jeff Weiner
Sent: Friday, November 21, 2014 2:17 PM
To: [log in to unmask]
Subject: BYOD - Identifying Trouble Computers on the Network
Starting this school year, we launched a full BYOD program at our High School. Currently we're using Aerohive wireless with 2 SSIDs...one for staff and one for students and public. There are days when network traffic flows fairly consistently and other days where it slows to a crawl. Many times when it starts crawling, I've done a Wireshark capture and found a device excessively broadcasting and have identified this as part of the problem. How are other schools identifying who the users are of problem devices and removing them from the network until the problems can be solved on their device? Currently, I'm using the MAC Address against the DHCP lease table to try and identify the owner, but many times with student devices, it's just "Dan's PC" or something else non-descriptive. Suggestions welcome. Thank you!
Wakefield Public Schools