This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Finding an rogue IP address

0

Hi All, Please forgive me, my IP and network knowledge is very limited. I occasionally work in a factory refurbishing second hand IP security equipment (cameras, NVRs etc). The equipment is not usually marked where they came from, and are very difficult to default back to factory presets (you have to pull the cases apart, and use a null modem serial cable and use lynx commands to default them which takes ages - and you have to default it, you can't change the ip address using this method). I'm hoping that there is a way that I can plug these devices in to the existing network and scan for and identify the device's IP address, so that I can re-program it using a web interface. Can wireshark do this maybe with filtering commands or is there another product that I can use maybe?

thank you.

asked 27 Mar '14, 08:12

John%20Green's gravatar image

John Green
11112
accept rate: 0%


3 Answers:

0

A simple way to do this would be to connect it with a cross-cable directly to the laptop, or to connect it to a little hub. Make Wireshark sniff for traffic and if you're lucky you should see traffic coming from the camera. No device (that I know of) is completely quiet on the network. They're always searching for DNS-servers, a default gateway, websites to check for software updates, ARP-requests for all this, etc.

You'll also see some garbage coming from your own laptop, but it shouldn't be too difficult to see what is your own traffic, and what is not.

answered 27 Mar '14, 08:50

robstar's gravatar image

robstar
11112
accept rate: 0%

0

If you do this on a regular basis it's likely worth investing in a small aggregating tap or a cheap switch that supports port mirroring to passively capture the device's traffic. This will quickly show you any traffic generated by the device including its IP address.

answered 27 Mar '14, 08:52

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

While this is true it's not necessary in this case, because the IP security equipment doesn't work yet (it still needs to be reconfigured). So a simple cross cable already does the trick of discovering the IP-address of the device.

But yes, if John thinks he might need to troubleshoot while the device is actually active (and working) these things are better. But John says his knowledge about these things is very limited.

John, don't forget you need to reconfigure the IP-address of your laptop if you want to be able to actually reach the equipment. The IP of your laptop needs to be in the same subnet. (just saying)

(27 Mar '14, 09:01) robstar

0

and you have to default it, you can't change the ip address using this method

I don't see how it will help you to figure out the IP address. If the address is not set to a default value, it is very likely that the username/password has been changed as well.

scan for and identify the device's IP address, so that I can re-program it using a web interface.

well, you might be able to access the web interface, but you (probably) won't be able to log in as you don't know the username and password, unless those devices offer a secret/hidden 'reset the device without admin credentials' URL (which I doubt).

So, sorry but I think you'll have to walk the bumpy road....

Look at it this way: That amount of work you have to invest is the value you add to those refurbished devices ;-))

Regards
Kurt

answered 27 Mar '14, 11:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%