+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
Wired Networks Thread, Identify a network device in Technical; A device has taken an IP address on the network and I am trying to identify it but how? I ...
  1. #1
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    671
    Thank Post
    41
    Thanked 16 Times in 15 Posts
    Rep Power
    21

    Identify a network device

    A device has taken an IP address on the network and I am trying to identify it but how?

    I have tried

    ipconfig -a xxx.xxx.xxx.xxx and I get a reply but no name

    getmac /S xxx.xxx.xxx.xxx and I get Error:the RPC server is unavailable

    nbtstat -a xxx.xxx.xxx.xxx and I get host not found

    I have tried SolarWinds IPaddress Tracker which can see the device but does not report what it is

    The Dude also can see the device but just reports it as some device

    I a now looking for another idea to identify this device

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    If you've managed switches, interrogate them to see where it's connected. You should be able to pull a MAC <> Port list. If it's a wireless device look at the APs it's associating (or attempting to associate) with for an idea of physical location.

    Search for the MAC address here: IEEE-SA - Registration Authority OUI Public Listing as well, for an idea of who makes the network interface.

    And get a copy of nmap (nmap.org) and use something like:

    Code:
    nmap -A IP.AD.DRE.ESS
    to get more of an idea about the type of device. Guide here: Nmap Network Scanning - basic usage is available in the usual way (manpages or nmap /? on windows).

    On a mobile device, Fing (free on Google Play and iirc Apple's App Store) does a reasonably decent job of guessing mac vendors.

  3. Thanks to pete from:

    plexer (18th June 2013)

  4. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,348
    Thank Post
    625
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    Weird that's exactly what I was doing yesterday whilst tracking what was connected to ports on a switch I looked up the mac table for the particular switch port and then looked up the coportations who have those mac address prefixes allocated to them

    Ben

  5. #4
    Gibson335's Avatar
    Join Date
    May 2008
    Posts
    930
    Thank Post
    257
    Thanked 133 Times in 106 Posts
    Rep Power
    79
    A telnet might give you a clue in its reply?

  6. #5
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,323
    Thank Post
    9
    Thanked 300 Times in 209 Posts
    Rep Power
    99
    Id try everything to just block it and not allow it to gain an IP address and wait for the device to find you.

  7. #6

    Danp's Avatar
    Join Date
    Jul 2011
    Posts
    1,446
    Thank Post
    78
    Thanked 168 Times in 148 Posts
    Rep Power
    147
    If I spot something I cant identify then it gets added to the deny list and deleted. If genuine, they will soon be in touch.

  8. #7
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    671
    Thank Post
    41
    Thanked 16 Times in 15 Posts
    Rep Power
    21
    Quote Originally Posted by pete View Post
    If you've managed switches, interrogate them to see where it's connected. You should be able to pull a MAC <> Port list. If it's a wireless device look at the APs it's associating (or attempting to associate) with for an idea of physical location.

    Search for the MAC address here: IEEE-SA - Registration Authority OUI Public Listing as well, for an idea of who makes the network interface.

    And get a copy of nmap (nmap.org) and use something like:

    Code:
    nmap -A IP.AD.DRE.ESS
    to get more of an idea about the type of device. Guide here: Nmap Network Scanning - basic usage is available in the usual way (manpages or nmap /? on windows).

    On a mobile device, Fing (free on Google Play and iirc Apple's App Store) does a reasonably decent job of guessing mac vendors.

    I have now managed to identify it as an Intel device (great) I can't telnet into it, I have also tried Putty with no luck

    What tool are you using to interrogate your switches? I have just found one called Managed Switch Port Mapping Tool Download Switch Port Mapper 30 Day Trial Software but its very slow

  9. #8

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,729
    Thank Post
    3,252
    Thanked 1,049 Times in 971 Posts
    Rep Power
    364
    Used LANView http://archive.org/details/tucows_271684_LANView

    Seemed to work well, then was just a case of walking around and finding the pc or device and disconnecting it

    If its a students laptop etc then as above deny it or reserve a dhcp ip address thats not on your ip range ??
    Last edited by mac_shinobi; 18th June 2013 at 02:07 PM.

  10. #9
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    671
    Thank Post
    41
    Thanked 16 Times in 15 Posts
    Rep Power
    21
    see this is where it gets very strange the said IP is not in a DHCP range and only came to my attention yesterday when I was dealing with an issue with a server.

  11. #10

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,729
    Thank Post
    3,252
    Thanked 1,049 Times in 971 Posts
    Rep Power
    364
    Quote Originally Posted by edie209 View Post
    see this is where it gets very strange the said IP is not in a DHCP range and only came to my attention yesterday when I was dealing with an issue with a server.
    Seems jxdev don't exist anymore and may have to download a trial demo version of LAN View ( although it had a few columns which allowed me to cross reference the mac address with the hostname of the device etc )

    What about angry ip scanner ? Think you can do the same on this - although come to think of it you mentioned that its not on the same ip range as your dhcp scope ?

    the nmap suggestion above is a good one so will just stay subscribed and keep an eye on this thread
    Last edited by mac_shinobi; 18th June 2013 at 02:16 PM.

  12. #11

    Join Date
    Mar 2008
    Location
    Medway, Kent
    Posts
    129
    Thank Post
    23
    Thanked 28 Times in 25 Posts
    Rep Power
    17
    have you tried putting the ipaddress into a web browser to see if you can connect to it?

  13. Thanks to glen_j from:

    mac_shinobi (18th June 2013)

  14. #12


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Quote Originally Posted by edie209 View Post
    I have now managed to identify it as an Intel device (great) I can't telnet into it, I have also tried Putty with no luck

    What tool are you using to interrogate your switches? I have just found one called Managed Switch Port Mapping Tool Download Switch Port Mapper 30 Day Trial Software but its very slow
    I ssh into the backbone switch (Procurve in the below example) and use:

    Code:
    show mac-address MACADDRESSIMLOOKINGFOR
    Say it appears on port E2

    Code:
    show name E2
    Which (because I've labelled all the ports on the backbone switch) will tell me it's the English Block.

    If you haven't diligently labelled your ports, using

    Code:
    show lldp info remote-device E2
    Should at least give you the hostname and IP address (if it's a switch/router/ap/whatever).

    Then I shell into the English block switch and query the mac address as I did on the backbone.

    There are more elegant ways of doing it - say the mactrack plugin for Cacti (Disclaimer: I've eyed this up, but never actually used it) should I wish to spend the time setting it up, but it's an infrequent need for me.

  15. #13
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    671
    Thank Post
    41
    Thanked 16 Times in 15 Posts
    Rep Power
    21
    Quote Originally Posted by glen_j View Post
    have you tried putting the ipaddress into a web browser to see if you can connect to it?
    Yes it just refuses connection

  16. #14

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,348
    Thank Post
    625
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    If you can track the mac address down to a specific switch port and it looks like it's the actual device connected or the actual device connected is a wireless access point then you can identify which physical wall port is connected to that switch port and go find it?

    Ben

  17. #15

    Join Date
    Jan 2013
    Posts
    96
    Thank Post
    23
    Thanked 11 Times in 10 Posts
    Rep Power
    5
    How about something like wireshark on a machine upstream filtered by the ip address. You might be able to find out what / if any traffic is being generated.

  18. Thanks to mikeyd101 from:

    mac_shinobi (18th June 2013)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Shares and Network devices visibility...
    By Ben-BSH in forum Wireless Networks
    Replies: 3
    Last Post: 4th November 2009, 02:53 PM
  2. Unknown network device
    By leco in forum How do you do....it?
    Replies: 11
    Last Post: 7th January 2009, 08:04 PM
  3. Disable Network Device
    By FN-GM in forum Scripts
    Replies: 2
    Last Post: 10th December 2008, 12:57 PM
  4. Replies: 6
    Last Post: 2nd September 2008, 08:18 PM
  5. Small cheap network device with basic webserver?
    By pete in forum Wireless Networks
    Replies: 1
    Last Post: 13th June 2008, 09:08 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •