Wired Networks Thread, Identify a network device in Technical; A device has taken an IP address on the network and I am trying to identify it but how?
18th June 2013, 11:50 AM #1
Identify a network device
A device has taken an IP address on the network and I am trying to identify it but how?
I have tried
ipconfig -a xxx.xxx.xxx.xxx and I get a reply but no name
getmac /S xxx.xxx.xxx.xxx and I get Error:the RPC server is unavailable
nbtstat -a xxx.xxx.xxx.xxx and I get host not found
I have tried SolarWinds IPaddress Tracker which can see the device but does not report what it is
The Dude also can see the device but just reports it as some device
I a now looking for another idea to identify this device
18th June 2013, 12:09 PM #2
If you've managed switches, interrogate them to see where it's connected. You should be able to pull a MAC <> Port list. If it's a wireless device look at the APs it's associating (or attempting to associate) with for an idea of physical location.
Search for the MAC address here: IEEE-SA - Registration Authority OUI Public Listing as well, for an idea of who makes the network interface.
And get a copy of nmap (nmap.org) and use something like:
to get more of an idea about the type of device. Guide here: Nmap Network Scanning - basic usage is available in the usual way (manpages or nmap /? on windows).
nmap -A IP.AD.DRE.ESS
On a mobile device, Fing (free on Google Play and iirc Apple's App Store) does a reasonably decent job of guessing mac vendors.
18th June 2013, 12:18 PM #3
Weird that's exactly what I was doing yesterday whilst tracking what was connected to ports on a switch I looked up the mac table for the particular switch port and then looked up the coportations who have those mac address prefixes allocated to them
18th June 2013, 12:21 PM #4
A telnet might give you a clue in its reply?
18th June 2013, 12:23 PM #5
Id try everything to just block it and not allow it to gain an IP address and wait for the device to find you.
18th June 2013, 01:32 PM #6
If I spot something I cant identify then it gets added to the deny list and deleted. If genuine, they will soon be in touch.
18th June 2013, 01:34 PM #7
Originally Posted by pete
I have now managed to identify it as an Intel device (great) I can't telnet into it, I have also tried Putty with no luck
What tool are you using to interrogate your switches? I have just found one called Managed Switch Port Mapping Tool Download Switch Port Mapper 30 Day Trial Software but its very slow
18th June 2013, 01:56 PM #8
Used LANView http://archive.org/details/tucows_271684_LANView
Seemed to work well, then was just a case of walking around and finding the pc or device and disconnecting it
If its a students laptop etc then as above deny it or reserve a dhcp ip address thats not on your ip range ??
Last edited by mac_shinobi; 18th June 2013 at 02:07 PM.
18th June 2013, 01:59 PM #9
see this is where it gets very strange the said IP is not in a DHCP range and only came to my attention yesterday when I was dealing with an issue with a server.
18th June 2013, 02:10 PM #10
Seems jxdev don't exist anymore and may have to download a trial demo version of LAN View ( although it had a few columns which allowed me to cross reference the mac address with the hostname of the device etc )
Originally Posted by edie209
What about angry ip scanner ? Think you can do the same on this - although come to think of it you mentioned that its not on the same ip range as your dhcp scope ?
the nmap suggestion above is a good one so will just stay subscribed and keep an eye on this thread
Last edited by mac_shinobi; 18th June 2013 at 02:16 PM.
18th June 2013, 02:23 PM #11
have you tried putting the ipaddress into a web browser to see if you can connect to it?
Thanks to glen_j from:
mac_shinobi (18th June 2013)
18th June 2013, 02:34 PM #12
I ssh into the backbone switch (Procurve in the below example) and use:
Originally Posted by edie209
Say it appears on port E2
show mac-address MACADDRESSIMLOOKINGFOR
Which (because I've labelled all the ports on the backbone switch) will tell me it's the English Block.
If you haven't diligently labelled your ports, using
Should at least give you the hostname and IP address (if it's a switch/router/ap/whatever).
show lldp info remote-device E2
Then I shell into the English block switch and query the mac address as I did on the backbone.
There are more elegant ways of doing it - say the mactrack plugin for Cacti (Disclaimer: I've eyed this up, but never actually used it) should I wish to spend the time setting it up, but it's an infrequent need for me.
18th June 2013, 03:12 PM #13
Yes it just refuses connection
Originally Posted by glen_j
18th June 2013, 03:43 PM #14
If you can track the mac address down to a specific switch port and it looks like it's the actual device connected or the actual device connected is a wireless access point then you can identify which physical wall port is connected to that switch port and go find it?
18th June 2013, 04:44 PM #15
- Rep Power
How about something like wireshark on a machine upstream filtered by the ip address. You might be able to find out what / if any traffic is being generated.
Thanks to mikeyd101 from:
mac_shinobi (18th June 2013)
By Ben-BSH in forum Wireless Networks
Last Post: 4th November 2009, 02:53 PM
By leco in forum How do you do....it?
Last Post: 7th January 2009, 08:04 PM
By FN-GM in forum Scripts
Last Post: 10th December 2008, 12:57 PM
By DaveP in forum Hardware
Last Post: 2nd September 2008, 08:18 PM
By pete in forum Wireless Networks
Last Post: 13th June 2008, 09:08 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)