Find information for local IP address?

Question

We have had a BT engineer visit recently, trying to solve a problem with our IP phone system.

One point they made was that we had four DHCP servers running on the network. I have disabled two of them (one of them should be running) and tested everything is working as it should. However, the fourth DHCP server eludes me!

The device has an IP address of 192.168.1.59, I can successfully ping the IP address.

If I run 'nbtstat -a 192.168.1.59' I get the following result:

$ nbtstat -a 192.168.1.59
$ Local Area Connection:
$ Node IpAddress: [192.168.1.45] Scope Id: []
$ Host not found.

If I run RDP or VNC Viewer for the IP address they don't connect.

Is there any other way I can find out more about the device?

Ladadadada · Accepted Answer · 2011-11-11T11:19:41.000

12

nmap is great for this. Besides letting you know which ports the server is listening on (which is often enough to identify its operating system) it can also do OS fingerprinting which is usually quite good. The OS fingerprinting can often even identify printer models.

Try nmap -A -v 192.168.1.59

edited Nov 11 '11 at 11:19

answered Nov 10 '11 at 12:33

Ladadadada

25,847
7
57
90

unfortunately is not a native MacOS command – blagus Sep 06 '16 at 18:38
no, but like most other apps you can install it with `brew install nmap` – blockloop Mar 21 '17 at 02:37

score 6 · Answer 2 · answered Nov 10 '11 at 11:45

You can check your arp tables for the MAC address, which on UNIX is done with

arp -a -n | grep 192.168.1.59

I presume Windows has an analogue.

You can then cross-reference the first three octets of the MAC address with a vendor identification lookup, of which there are many on the web. One such is here (I know nothing about it, it just came up first in a google search). That should tell you who made the piece of equipment, which often helps in identifying it.

If you have manageable switches, you can also cross-reference that mac address with the spanning tree on the switch, which will tell you which switch port that MAC address appears on, which often identifies the individual cable that has the thing on the other end. How to talk to your managed switch depends on who made it, and is beyond the scope of a simple SF answer. This is the fastest method of finding a box in these cases, but it does require some network smarts and manageable switches.

Failing all that, you can try telneting to well-known ports; I often try 139 (getting a connection means it's either a Windows box or it's a unix box running SaMBa), 22 (the ssh banner can give hints as to the manufacturer) and 80 (if there's a web server running, typing GET /<CR><CR> often returns useful error text.

Once you get the mac-address of the device, you can look up what port the address was learned on if you have managed switches. — JakePaulus, Nov 10 '11 at 13:39
Yes, I agree, and I think that's what I said above in para 3. — MadHatter, Nov 10 '11 at 14:27

score 2 · Answer 3 · answered Nov 10 '11 at 11:45

Your nbtstat output seems to suggest that the device isn't a Windows host. Could it be a router, switch, firewall, WAP, etc?

In addition, there shouldn't be anything wrong with running multiple DHCP servers as long as they're configured correctly and don't have any overlapping Scopes.

Find information for local IP address?

3 Answers3