We use a Prizm Server to manage custoemr bandwidth and a radius server to manage authentication. We assign IPs by DHCP. Our subscriber modules all have the default IP address in them. My problem is that I have a customer’s assigned IP address which is sending malicous traffic and I can’t find them by just knowing the IP address. How are others handling their networks and does anyone have recommendations. I’m not a network engineer, all of this was set up by someone else but I’m trying to find a solution.
Use Wireshark to look at the traffic flow and determine the offender’s MAC, then look in each AP’s bridge table for the offending MAC. Once you determine the parent AP, look at the sessions tab to match the MAC to the LUID.
This is where PPPoE or static IP assignment helps.
Also, monitoring every AP can help you locate unusual traffic patterns such as spewing SM’s.
What Jerry suggests will work, but rather than using a packet sniffer (such as Wireshark) to determine the MAC address, you can usually just look up with MAC address that IP is assigned to on the DHCP server.
If you wanted to automate the process, you could use SNMP to poll the bridge tables of the SMs and/or the APs. I wrote a simple linux bash script that polls our SM bridge tables, records the MACs behind the units and lists what brand(s) of routers they are using. Once you get the MAC from the DHCP server you can just search the list and determine what SM they on.
The OID to poll for the bridge tables is: 1.3.6.1.4.1.161.19.3.3.4.1.1
EDIT: If you are using Prizm, it should be able to look up which SM the particular MAC is behind if it is set to poll bridge tables. Just get the MAC from the DHCP server, and check the Prizm manual.