求助:怎样来解决这种现象

显示全部楼层 · 2010-10-8 09:32:27

网络现象网段（172.16.4.0/24）和网段（172.16.9.0/24），整个网段的网络有短时中断；
原因：有PC冒充网关，导致跨网段的通信中断，在交换机的日志为：
4006-1：
Aug9 09:28:16.547 CCT: %IP-4-DUPADDR: Duplicate address 172.16.4.254 on Vlan4, sourced by 8000.0be3.6e70
Aug9 09:48:38.080 CCT: %IP-4-DUPADDR: Duplicate address 172.16.4.254 on Vlan4, sourced by 8000.0be3.6e70
Aug9 10:08:48.039 CCT: %IP-4-DUPADDR: Duplicate address 172.16.4.254 on Vlan4, sourced by 8000.0be3.6e70
Aug9 10:28:58.969 CCT: %IP-4-DUPADDR: Duplicate address 172.16.4.254 on Vlan4, sourced by 8000.0be3.6e70
Aug9 10:49:03.785 CCT: %IP-4-DUPADDR: Duplicate address 172.16.4.254 on Vlan4, sourced by 8000.0be3.6e70
Aug9 11:09:01.962 CCT: %IP-4-DUPADDR: Duplicate address 172.16.4.254 on Vlan4, sourced by 8000.0be3.6e70
Aug9 11:29:51.914 CCT: %IP-4-DUPADDR: Duplicate address 172.16.4.254 on Vlan4, sourced by 8000.0be3.6e70
Aug9 11:49:53.230 CCT: %IP-4-DUPADDR: Duplicate address 172.16.4.254 on Vlan4, sourced by 8000.0be3.6e70
老制造部3750：
Aug7 14:39:07.757 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug7 14:59:18.672 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug7 15:19:28.392 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug7 15:39:32.171 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug7 15:59:41.727 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug7 16:19:48.214 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug7 16:45:47.333 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug7 17:06:03.114 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug 10 09:55:12.492 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug 10 10:15:18.320 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug 10 10:35:28.684 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug 10 10:56:04.636 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug 10 11:16:06.972 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
Aug 10 11:36:14.609 CCT: %IP-4-DUPADDR: Duplicate address 172.16.9.254 on Vlan9, sourced by 000d.56a9.1627
临时解决办法：通过DHCP找出故障PC，断开其网络；
原因分析：怀疑是病毒攻击，但在安全模式下用杀毒软件扫描磁盘，没有发现病毒。
请各位帮忙看看有什么好一点的解决方案，除了重装系统。

千问 · 2010-10-8 09:32:27

这两台PC通过DHCP server分配到的IP是多少？
用木马查处工具呢？

千问 · 2010-10-8 09:32:27

个人认为：找到问题PC，用抓包工具看看有没有有问题的通信~然后分析下出问题的端口，然后关闭它~OK~
不知道这个方法行不？
请高手解答~