This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've been noticing a few unknown devices keep appearing on my pc under my network - which prompted me to inventory our home network. I downloaded your program and have been trying to learn all I can. I am concerned about two different devices that keep showing up on my pc when I open Windows Explorer and select Network. These devices only show me their MAC address and an assigned name such as Full_Arial. There is no IP address, nor do I see these MAC address on our router. I tried to look up the MAC address from your site and it comes back as private. Can your software help me to determine what these devices are?

asked 28 Dec '15, 15:44

MissC's gravatar image

MissC
6112
accept rate: 0%


Wireshark passively shows you the contents of packets it can see on the network interfaces, so unless the devices write something like "I am a refrigerator <vendor> <model>" into the packets they send, Wireshark can only assist your own investigation what those devices are.

Too much is unknown about your network, so the fact that the home router does cannot see the MACs may be because the devices use some other protocol other than IP, so your PC can detect them using that protocol while your router cannot because it uses only IP and below. Or they may use IP but be connected to some other network interface of your PC than the one which looks towards the router. Finding this out is what you can use Wireshark for - on a freshly rebooted Windows machine, start a Wireshark capture on all available network interfaces first, and then go Windows Explorer -> Network. If you are lucky, the actual detection of network neighbourhood takes place only after you open that window.

After the ghost devices show up, you would stop the capture and apply a display filter eth.addr == 00:08:15:00:08:15 (of course using the MAC address of the ghost device you are trying to identify). This should allow you to identify the protocol and physical interface through which they are connected, because you'll see both as fields of the frames which the display filter selects.

permanent link

answered 29 Dec '15, 01:01

sindy's gravatar image

sindy
6.0k4850
accept rate: 24%

If you know the MAC address, you can look it up here:

https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries

Under Select a product, choose "ALL MAC"

Under Search results look, enter the first 3 bytes of the MAC address, for example:

00-08-15

From their, you can determine the company that has listed the MAC (in our example, CATS Co., Ltd)

This above procedure only works for devices that are publicly listed (i.e., MAC addresses that are not locally administered = The address must start with “02” in the most significant byte).

permanent link

answered 29 Dec '15, 07:19

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×157
×48
×29

question asked: 28 Dec '15, 15:44

question was seen: 4,179 times

last updated: 29 Dec '15, 07:19

p​o​w​e​r​e​d by O​S​Q​A