I am at a loss of finding the IP of the following device. Previous Firmwares would display the IP however all I am finding as the source is ( SclEleme_00:1f:a0 )
Is there any option with in Wireshark that could deceiver the IP ?
SclEleme_00:1f:a0 Broadcast BACnet-NPDU I-Am-Router-To-Network 200.821781000 1137 60
SclEleme_00:1f:a0 Broadcast BACnet-NPDU I-Am-Router-To-Network
200.821781000 1137 60
Frame 1137: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 5, 2014 15:28:35.345502000 Eastern Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1415219315.345502000 seconds
[Time delta from previous captured frame: 2.252785000 seconds]
[Time delta from previous displayed frame: 2.252785000 seconds]
[Time since reference or first frame: 200.821781000 seconds]
Frame Number: 1137
Frame Length: 60 bytes (480 bits)
Capture Length: 60 bytes (480 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:llc:bacnet:data]
[Coloring Rule Name: Broadcast]
[Coloring Rule String: eth[0] & 1]
IEEE 802.3 Ethernet
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
…. ..1. …. …. …. …. = LG bit: Locally administered address (this is NOT the fac
tory default)
…. …1 …. …. …. …. = IG bit: Group address (multicast/broadcast)
Source: SclEleme_00:1f:a0 (e4:ad:7d:00:1f:a0)
Address: SclEleme_00:1f:a0 (e4:ad:7d:00:1f:a0)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
Length: 12
Padding: 000000000000000000000000000000000000000000000000…
Logical-Link Control
DSAP: BACnet (0x82)
IG Bit: Individual
SSAP: BACnet (0x82)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
…. ..11 = Frame type: Unnumbered frame (0x03)
Building Automation and Control Network NPDU
Version: 0x01 (ASHRAE 135-1995)
Control: 0xa0
1… …. = NSDU contains: network layer message, message type field present.
.0.. …. = Reserved: Shall be zero and is zero.
..1. …. = Destination Specifier: DNET, DLEN and Hop Count present. If DLEN=0: broadcast
, dest. address field absent.
…0 …. = Reserved: Shall be zero and is zero.
…. 0… = Source specifier: SNET, SLEN and SADR absent
…. .0.. = Expecting Reply: Other than a BACnet-Confirmed-Request-PDU, segment of BACnet
-ComplexACK-PDU or network layer message expecting a reply present.
…. ..0. = Priority: Not a Life Safety or Critical Equipment message.
…. …0 = Priority: Normal message
Destination Network Address: 65535
Destination MAC Layer Address Length: 0 indicates Broadcast on Destination Network
Hop Count: 14
Network Layer Message Type: 01 (I-Am-Router-To-Network)
Destination Network Address: 40991
0000 ff ff ff ff ff ff e4 ad 7d 00 1f a0 00 0c 82 82 ……..}…….
0010 03 01 a0 ff ff 00 0e 01 a0 1f 00 00 00 00 00 00 …………….
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0030 00 00 00 00 00 00 00 00 00 00 00 00 …………
asked 05 Nov ‘14, 13:43
Wall-IT
16●1●1●4
accept rate: 0%
edited 06 Nov ‘14, 01:54
grahamb ♦
19.8k●3●30●206
Any one with any ideas besides a massive arp request to derive the IP of the device from the MAC that was provided in the broadcast. ?
Up until now the broadcast after power cycling these devices included the IP.
Why a massive arp, surely one will do for the MAC address e4:ad:7d:00:1f:a0?