This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Find unknown static IP address of a device with known MAC address

0

Hi,

I have a Lantronix network device that has been returned from a customer which has had a static IP address set in it. I have none of the network details that it was installed in. I do have its MAC address. I have tried connecting the device directly to my laptop and running wire shark but I'm new to this and I can't work out how to determine its IP address from all the data packets.

Thanks

asked 18 May '16, 10:10

Matthew%20Butcher's gravatar image

Matthew Butcher
6112
accept rate: 0%


4 Answers:

1

That's not the way to do it. Go to the devices' manual and lookup the reset procedure, usually something like holding some buttons on power on, or setting a loop between some ports. Otherwise you could setup a network scanner to sweep the IP address range you suspect the device to be on (usually a private range address). Unless the device autonomously sends packets (eg. SNMP notifications, or NTP queries) there's little to see.

answered 19 May '16, 01:08

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Though I agree there is no guarantee that this works, this is always my first stop. It's fast, costs almost nothing, and works often enough for me that probability is in my favor next time the issue comes around.

I have found many devices (luckily) will actually produce frames for me - like arp requests for the default GW, ARP for some other host as part of the configuration, maybe some LLDP or CDP... The higher end the device, the more likely to get something here. Maybe it even implements RFC5227 for dup IP detection and issues ARP probes/ARP announcements at boot...

Then, of course, sometimes nothing comes out. Then absolutely - time to get the manual out and do a factory reset.

(19 May '16, 03:24) Bob Jones

Unfortunately there doesn't seem to be a simple way to reset this device...

https://www.lantronix.com/products/xport-ar/

(19 May '16, 08:30) Matthew Butcher

Does the software application "Device Installer" from Lantronix not locate it?

(19 May '16, 08:37) grahamb ♦

As Grahamb stated above.....Use "Device Installer", which is a software tool provided by Lantronix to locate and configure their devices.

http://www.lantronix.com/products/deviceinstaller/

(19 May '16, 21:59) Rooster_50

0

If you've connected the two only to each other, all frames (packets) you can see in your capture should have only one of two source MAC addresses: the one of your PC and the one of the blackbox. So apply a display filter (eth.src == bl:ac:kb:ox:ad:dr) and arp and if any packets remain in the list, they must have been sent by the blackbox, and they read, in the info column, Who has X.X.X.X? Tell Y.Y.Y.Y. And Y.Y.Y.Y is the IP of the blackbox.

For the miracle to happen, you need that the blackbox feels a need to send something somewhere, or read something from somewhere, otherwise you are out of luck because it won't have any reason to send the ARP request you need.

A hint: don't connect them directly, insert a hub or switch between them, and use the following order of steps:

  1. connect only the PC to the switch and wait until the interface comes up
  2. start capturing with no capture filter
  3. connect the blackbox to the switch (and switch it on of course) and do whatever is necessary so that it would attempt to send or receive data.

The reason to do it the above way is that you normally cannot start a capture on an interface which is down, and the frames you need might come between the moment the interface came up and the moment you've started the capture if the blackbox doesn't have much to send/receive.

Knowing the IP address, you'll still have to guess the mask, as it cannot be determined from the ARP requests nor anything else normally seen on the wire. So your best choice is to set Y.Y.Y.(Y+1)/255.255.255.0 (except if the last byte would make 255, in that case use 253 instead) as the address/mask of your PC's interface and try to log in.

If you cannot catch any ARP request, Wireshark cannot help you and you'll have to use some scanning tool which will send arp requests to the device's MAC, asking for all possible IP addresses one by one.

answered 19 May '16, 01:13

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

I have tried this today but unfortunately can't get the device to send/receive anything.

(19 May '16, 08:26) Matthew Butcher

0

Not to overlook a potentially simple and easy solution, have you tried simply asking the customer what the static IP address was set to on the device?

answered 19 May '16, 09:15

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

0

Try arping? Or if you're running Windows, arp-ping?

answered 19 May '16, 09:32

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%