Identify an unknown IP in our network

networking ip windows-7 vmware-player

Solution 1:

I cannot provide a global solution to your problem, just a partial one. You can add this to the switch technique to widen your range of opportunities.

If the user running the VM is connected to your LAN via wifi, then you can identify him/her by means of a traceroute. The reason is that you showed us that the VM has an IP on your LAN network, hence it is in a bridged configuration. For technical reasons, wifi connections cannot be bridged, hence all hypervisors use a neat trick instead of a real bridge configuration: they employ proxy_arp, see for instance this Bodhi Zazen's blog entry for an explanation of how this works, for KVM, and this page for VMWare.

Since there is a pc replying to ARP queries in the VM's stead, traceroute will identify the node before the VM. For instance, this is the output of my traceroute from another pc on my LAN:

My traceroute  [v0.85]
asusdb (0.0.0.0)                                                                                               Mon Jun  1 11:45:03 2015
                        Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                                           Packets               Pings
 Host                                                                                       Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. rasal.z.lan                                                                           0.0%     1    6.0   6.0   6.0   6.0   0.0
  2. FB.z.lan

rasal is the host machine, FB is the guest, I am issuing this from a third pc (asusdb).

In Windows, the proper command is 

 tracert 10.0.0.131

On Linux, you can do the same with the very convenient utility mtr:

 mtr 10.0.0.131

This complements, rather than supersede, the switch technique. If your traceroute shows that there are no intermediate hops between your pc and the VM, then at least you will know that you can rule out all LAN pcs connected via wifi, restricting your range of possibilities, and making the switch technique an effective possibility, if you have a managed switch or you are willing to unplug the cables in the switch one by one.

Alternatively, you may fake a technical problem and disconnect all ethernet connections, forcing your users to use wifi, until your culprit takes the bait.

Solution 2:

I'm assuming the 20 clients are connected to a switch:

Every switch mantains a table of every known MAC address on the table, and the table is in a format like this:

    Port               Address
     1              fa:23:65:XX:XX:XX:XX
     2              87:4a:12:d2:xx:XX:xx

Where Port is the physical port on the switch and Address is the MAC address detected on the port.

You have to check on the switch console a port that registers more than one MAC address, and now you know the switch port where the VM host is connected.

Just to be sure:

From a Windows equipment ping 10.0.0.123 and then issue arp -a.

Check that the MAC address corresponding to 10.0.0.123 is the same that you detected on the switch table.

Related

Trackpad scroll in Yosemite's terminal broken, now only showing command history
Requirements for a (multi)touch wall-mounted kitchen pc [closed]
Installing ubuntu do I really need a boot partition?
How can I set a bluetooth default controller
Ubuntu installation on PC [closed]
What is the best, safest way to create another partition after installation Ubuntu 20.04? [duplicate]
Disable Keyboard Backlight on Thinkpad T440S at login
XPS 9510 with OLED screen no brightness control with Ubuntu 21.04
How to upgrade Ubuntu on a dual boot system?
Why is my laptop's keyboard screwed up since kernel 5.4.0-47 till 5.8.0-20?
Prevent Windows 10 from formatting ext4 partition on pendrive
How can I get vboxweb to start properly at boot