David,

> Suppose you have a network in your two story office building with around 
> 250 network drops (10/100BT hubs).  Suppose one of your servers becomes 
> unreachable and you find that arp gives you a different MAC address than 
> you expect.

> Seems like someone has plugged in a machine and given it the same IP as 
> your server, and somehow this rogue machine wins the arp battle.  So 
> your IP has been stolen.

> Anyone seen this before?

> How would you find the rogue machine to fix the problem?

Since you aren't using managed switches, you can't nail down the MAC address
of the rogue to a specific port.

A destructive (disruptive) test is one way to do this.  Start by 
identifying which hub it's plugged into:

1. Unplug a hub from the stack.  Plug your test machine into the port.
2. Clear its arp cache.
3. Ping the IP address, see what MAC it got.
4. If not the rogue MAC, then reconect the hub to the stack.  Move on
to the next hub until you find which hub it's on.
5. With that hub isolated, run a continuous ping and disconnect cables
for 1-2 seconds at a time.  You'll be able to identify the rogue's port
by seeing which cable disconnect caused the pings to stop coming back.
6. Use your handy-dandy cable map, which I'm sure you have, to find out
where the other end of that cable is.  Leave it disconnected of course.
(Shoot first, ask questions later.)

HTH.

--
Jim Ockers (ockers@ockers.net)
Contact info: please see http://www.ockers.net/

Fight Spam! Join CAUCE (Coalition Against Unsolicited Commercial Email)
at http://www.cauce.org/ .