Jump to content

"Ghost" Connections at work


Bountyhunter50

Recommended Posts

Hi all! I'm at a loss, so collaboration time!

SO:

At my work , I have 5 elevators with digital reader boards in them (for the days events and some adverts) that auto-updates from an internal system. Through our internal system, we enter in "Bob Group" and say what meeting room they have and times. Then when we say "Post", that is (theoretically) supposed to send out to these Readerboards to be displayed at the appropriate day.

The problem is: Only 2 of the 5 Function like this. Here's the fun part (Are you ready?):

- Inside the elevator the PC is on an Eth line.

- If I plug in my laptop to snif the other end , I get no link at all. Even the ISP can't find the MAC on the network. Even on the ones that are (theoretically) working.

- The main "Player Controller PC" (handles how the reader board will display adverts, etc) is connected to a switch (and our ISP can see that).

- At the top of the elevators (Where the pully engines are) , There are 5 wires on a troth going outbound.. Somewhere.. But there's actually 10: 5 blue and 5 White CAT5e.

- Down the hall of the Elevator Control room, there's a mini-IDF room that has a wall- mounted cabinet with 5 Cat5e lines LABELED " Elevator 5, Elevator 6, Etc."

- When I plug my laptop into that , Nothing. Not even Wireshark can find it.

- I can't even find anything on a WiFi Sniff too. No beacon frames match the Elevator PCs at all.

...Is there something i'm missing, or is this a needle in a hay stack?

Link to comment
Share on other sites

Maybe the plug is a RJ45 but that doesnt garantee that its using Ethernet... If wireshark doesnt see anything then it might not be using Ethernet but maybe RS424 232 485.. the later one is comonly used in control system over coper twisted pair and UTP cable being cheaper than control STP it could be it...

Otherwise check your wireshark setup are you able to sniff other network, maybe you ned to reinstall winpcap...

Edited by madhak
Link to comment
Share on other sites

Good thinking on Reinstalling Winpcap. Can never be too safe.

So update***

I found the central switch that the elevators are plugged into! WAHOO!! I was lucky enough to talk to one of the installers of the place, he mentioned it was a "Net..something" and described the box, etc.

Matches the IP Scheme, Matches his description, Cable count matches perfectly, PROGRESS!!

Now to begin the "Fun" Part.. The switch (Assuming it's the correct one) shows all 5 (really has 6, not sure why) RJ45 lines are "hot", but why is only 2 of the 5 Workstations funtioning Nominally? Something doesn't add up...

Link to comment
Share on other sites

Maybe a dumb question but are the NIC's interfaces enabled on the other nodes that aren't responding? Also, are they on the same subnet, or possibly segmented to another VLAN? Can you log into the switch and see if even the switches interfaces are up for the workstations you can't speak to and what each switch port is set to?

Another thought, go to each workstation with a line tester, disconnect the cable from the workstation and test the signal back to the switch. Maybe the cables are bad. You could test the workstations themselves with a cross over cable and setup a tftp server on your laptop and the workstations to try and send a text file back and forth just to see if the nic's are working as well if they are enabled.

Also, how long are the cables? Ethernet does have a max length at which the signal will eventually die off without another switch or bridge.

http://en.wikipedia.org/wiki/Category_5_cable#Maximum_cable_segment_length

Only other thing I could think of is interference from some other electrical source like someone ran the lines over an electrical conduit or installed something recently near the cables that have no signal to the other workstations. Kind of trial and error with various things to look for and hunt down...

Link to comment
Share on other sites

The problem doesn't so much appear to be that there IS no signal - the board is responding to the signal. The guy just can't capture it for some reason.

I'm guessing that by hot you mean the data lines are connected. This doesn't imply protocol, let alone TCP.

And maybe a stupid question, but since the line is unique to the elevator, did you sniff while changing the board contents? Some managed switches can be made to ignore all but the known MAC addresses.

I used to work at a bank where I wasn't allowed to plug in my laptop (they set up some dinky toy PC for me to get frustrated over while trying to work) so I came in one morning after a somewhat late night (ahem) and set things up before my morning coffee... Bad idea to do anything before your morning coffee... Anyways, plugged in. Knew I wouldn't get internet there so I wasn't even trying or expecting anything or even aware I had plugged it in. Went to the coffee corner to wake up and on my way back with a nice cup filled with the fuming, liquefied remains of a thousand fallen angels, poised to rid my mortal coil of any residual sleep tendencies (yes, it really was THAT good). I find one of the security guys at my desk along with an admin...

"Why is it plugged in? You know you're not supposed to do that."

Made some excuses, showed the admin guy the ifconfig for the interface which resulted in 1) props to me because I ran Linux which, in those days especially, tended to mean you knew a thing or two about running a system and 2) acceptance of the fact I just goofed and if I just unplugged the wire things would be cool.

Apparently when an unauthorized MAC is attached, the switch not only completely denied all access, but it also sent out an alert... Who knew?

Edited by Cooper
Link to comment
Share on other sites

Good call @Cooper - Yeah, depending on the device, switch ports can be set with the "sticky bit" enabled, which will record the first MAC address known when a device is plugged into it. If another MAC address becomes seen on the same switch port, it blocks access to unknown MAC addresses or can even shut the switch port down, so if someone came in and moved cable "a" from port 1 to port 2 and cable "b" from port 2 to port 1, the switch would see a different MAC address and stop communicating with the nic at the other end. Same if you plugged your laptop in at the workstations using their cable, you could potentially lock the switch port depending on the switch capabilities.

Link to comment
Share on other sites

All very valid points that I am taking to heart on this (This project is my child practically.)

I have noticed that from the computer that can change the adverts around (it doesn't handle the "daily events" but the virtual player itself" if I sniff on that port, I saw that there was a nice Spanning Tree protocol on that block. I couldn't tell if anything was shut off or not, but i'm still in investigation.

Seriously, Thanks guys for the input!

...Also I completely understand, No work before the morning constitution of Java.... Mandatory..

Link to comment
Share on other sites

Sorry all, forgot to add in the basic cable topology (to get an iDea for cable length... see what I just did there?)

Cables run anywhere from 9 feet off the Lobby (Ground Floor) to the 21st floor (Think Stories instead of actual floors) , and sounds like they return to the 12th floor for the main switch. In the elevator room at the top it looks like the CAT5e (I believe) runs through an amplifier provided by the elevator company (Circular punchdown of some sort. Annoying because the only labeling "161, 162,167, etc." and we only have Schematics for inside the Elevator cars themselves.

Edited by Bountyhunter50
Link to comment
Share on other sites

Sorry all, forgot to add in the basic cable topology (to get an iDea for cable length... see what I just did there?)

Cables run anywhere from 9 feet off the Lobby (Ground Floor) to the 21st floor (Think Stories instead of actual floors) , and sounds like they return to the 12th floor for the main switch. In the elevator room at the top it looks like the CAT5e (I believe) runs through an amplifier provided by the elevator company (Circular punchdown of some sort. Annoying because the only labeling "161, 162,167, etc." and we only have Schematics for inside the Elevator cars themselves.

21 + 9 X 10 = 300 -9 = 291 feet. That's not counting how far down the hallway the switch is from the elevator, or slack loops. You're really close to the limit. You can go over the limit(you shouldn't), but you're running into degraded signal territory. If you can get your hands on a fluke linkrunner you'll be able to test the cables for shorts, crosses and total length. They're not cheap, but they're worth it.

Also something to look at, from what I've seen from elevator shafts, your cables are probably in the same bundle of wire as the car's electric supply cables. That long of a run next to ac lines is probably inducing quite a bit of voltage and noise into your data cables. If it was up to me, I'd install fiber media converters on the car and the top of the shaft. That will get rid of your length problem and electrical noise problem.

Edited by barry99705
Link to comment
Share on other sites

barry99705 made some good points as well. Depending on the number of stories average buildings 20 stories is between 250-300+ feet(or more from what I googled but thats quoting best guess) depending on the structure of the building and ceiling height, air ducts, plumbing and other such extra space between floors for maintenance rooms, etc. 100 meters is like 328 feet so that would be near the limit for signal loss issues without a repeater/bridge, but if 2 of the nodes work and are all same length then either signal interference on the other cables, possible bad cables, or even like mentioned before, switchport security is on and disabled the port for unknown mac addresses maybe.

I think you'll need more investigating on if the cables can send and receive data first though, and take the switch and workstations out of the loop to test the lines first and work backwards from there. If the cables are working then its on the equipment ends(nic, workstation, bad switchport, disabled or I would think misconfiguration on the switch).

Link to comment
Share on other sites

So our current thinking is that, while the board can reliably receive a signal, whatever machine he tied to the plug can't and this is because of an insufficiently strong signal on the wire...?

I'm still more inclined to believe it's RS232 or some variant over an UTP cable.

Can you open up the board and maybe take a picture of it and/or specify what's written on the chip that appears to be attached to the plug? Either side of the connection will do.

Link to comment
Share on other sites

So our current thinking is that, while the board can reliably receive a signal, whatever machine he tied to the plug can't and this is because of an insufficiently strong signal on the wire...?

I'm still more inclined to believe it's RS232 or some variant over an UTP cable.

Can you open up the board and maybe take a picture of it and/or specify what's written on the chip that appears to be attached to the plug? Either side of the connection will do.

The board on the main switch or Workstation? VERY limited to opening up items (Corporate would rain down on me with a #$%% Fire).

If it's worth noting, the main switch does have a console/RS232 9-pin port

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...