Find an unknown static IP + subnet mask of device?

32

8

I have a device set with a static IP and subnet mask. I do not know the IP or subnet mask. How can I find the devices IP and subnet mask?

It is a piece of hardware, not a PC. It will not take an IP from DHCP. I have also tried directly plugging in a LAN cable from my PC to the device with Wireshark running to see if I could capture any packets from the device when it starts or has an Ethernet cable plugged in to it – but there appears to be nothing.

The device appears to be working as it flashes on the Ethernet ports.

Is there any software to do pingsweeps across IPs and networks?

gpresland

Posted 2011-06-25T12:04:00.727

Reputation: 480

If you tell us what the device is, people might know how to find out without connecting it to the network, or what they are usually set to. – EightBitTony – 2011-06-25T12:28:32.773

1the device is a proprietary industrial device that was custom made by a europian company. nobody should know what it is. it is the weekend though and cannot get ahold of the company. – gpresland – 2011-06-25T12:35:59.587

The Wireshark should have done it. I would reset the device and just give it the IP you want again. – KCotreau – 2011-06-25T12:37:13.833

Wireshark will capture all packets even on different networks and without proper default gateways correct? straight Ethernet from PC to device on different networks. – gpresland – 2011-06-25T12:41:24.483

Is it even possible to comunicate with the device if e.g. device ip = 10.0.0.9 while router's ip = 192.168.1.1 ? – bbaja42 – 2011-06-25T15:55:56.857

@bbaja42 I believe a packet Sniffer or ARP scanner can detect it. – gpresland – 2011-06-25T16:33:53.360

@Fase How did you solve this issue? I am having the same problem and don't see any packets from the device using Wireshark. (Humorously it is also a proprietary industrial device made by a European company.) – Michael Koval – 2012-02-25T02:00:31.647

@Mike Koval If I recall correctly, I was able to communicate with it by plugging the WAN port directly into a laptop. I used WireShark to sniff all traffic, and once I found an IP address it was trying to communicate with (it was a public IP) I set the IP of my computer as the public IP. I then continued to sniff with WireShark and got a whole lot more information including private IPs from it now via the WAN port since it trusted me as I had a public IP it was supposed to talk to. I then set my IP to a private IP in its range and plugged in to a LAN port. – gpresland – 2012-02-29T14:17:25.387

@Fase The device I am using is not generating any traffic in Wireshark, so I guess I am having a different issue. Thanks anyway for your help! – Michael Koval – 2012-03-03T02:47:46.293

@MichaelKoval: Does the port light come on when connected directly to your laptop? You might need a crossover cable. – David Schwartz – 2013-01-26T17:42:56.483

Answers

21

3 steps

  1. Download, install and start wireshark
  2. Connect the device to the computer with the cable
  3. Restart the device (unplug and plug it back to the power line)

In case the device has a static IP, it should(might) broadcast it's IP on the network, which you should detect with the wireshark.

In case the device has dynamic IP set up, it will ask for an IP adress, in which case connecting it to a router or a computer with DHCP server will resolve the issue.

Note, just today I've seen the sys admin use these steps to find out an unknown IP from the device :)

bbaja42

Posted 2011-06-25T12:04:00.727

Reputation: 2 815

1yes, this helps you to find the ip address. But you still won't know the subnet mask of the device. – bvdb – 2016-04-27T21:25:32.993

1@bvdb But that can fairly easily be done by process of elimination or bisection. – David Schwartz – 2017-05-27T10:56:06.403

7

You could try Angry IP Scanner or, if you have a Linux server, use arp-scan.

Linker3000

Posted 2011-06-25T12:04:00.727

Reputation: 25 670

2I am using this but to manually change my LAN subnet mask over and over again is tiring. – gpresland – 2011-06-25T12:26:08.157

6

I recommend netdiscover. You can use it in passive listening mode and detect incoming ARP announcements (using the -p switch) , or just apply some brute force:

netdiscover -S -f -i eth0

Note that this is incredibly fast compared to nmap (maybe I did not tune nmap well enough).

Also that the method suggested in the currently accepted answer (sniffing for ARP announcements using Wireshark) essentially is what the -p mode is doing.

Jan-Philip Gehrcke

Posted 2011-06-25T12:04:00.727

Reputation: 472

5

Try this command, it will ping all possible broadcast addresses.

ping 255.255.255.255

Darek

Posted 2011-06-25T12:04:00.727

Reputation: 886

4Does that work in Linux, because it won't in Windows. – KCotreau – 2011-06-25T12:36:01.070

@KCotreau It does on Unix, yeah, although I'm not so sure if it delivers the right info. – slhck – 2011-06-25T12:37:08.383

3Windows says it cannot ping that address. Guess its Unix only. – gpresland – 2011-06-25T12:42:30.303

5

Assuming that it is plugged into a managed switch, find the switch that it is plugged into, and track it down to the specific port. Log into the switch, and look at the mac-address that is associated with that port. In Cisco land, it would be something along the lines of show mac-address-table | i 5/34 where 5/34 is the port that the device is plugged into.

Once you have the mac address of the device, then you can look at the arp tables on the switch, which should show you an IP. Again, in Cisco, it would be something like sh arp | i FFFF where FFFF is the last 4 characters of the device's mac address.

That will get you as far as the IP address. The you should be able to use a tool like wireshark to watch the traffic, and glean the netmask from the traffic.

Kirk

Posted 2011-06-25T12:04:00.727

Reputation: 2 182

I don't have a cisco router or switch. the device is directly attached to a PC. – gpresland – 2011-06-25T17:20:55.087

It is connected to the PC via an ethernet cable? What does your arp table in windows show? – Kirk – 2011-06-25T17:50:31.467

4

this has helped me a few times on Windows.

arp -a

This displays the networks neighbour cache. Its a local cache of IP/MAC address resolutions. Useful to identify new devices that have joined a network and duplicate static IPs.

PodTech.io

Posted 2011-06-25T12:04:00.727

Reputation: 141

Can you explain what this command does? – djsmiley2k TMW – 2017-05-31T16:27:53.153

1just added, hopefully that helps. – PodTech.io – 2017-06-01T08:18:35.807

4

In OSes that don't let you ping the all-ones broadcast address (255.255.255.255), you can usually still ping the "All Hosts" multicast address:

ping 224.0.0.1

All IP stacks for two decades have supported multicast, so they should all respond to that, unless they have an overzealous firewall.

Spiff

Posted 2011-06-25T12:04:00.727

Reputation: 84 656

1

I had success on my Linux box using a USB-Ethernet adapter (like this one), and issuing:

$ ping -I eth2 -b 255.255.255.255

Jonathon Reinhart

Posted 2011-06-25T12:04:00.727

Reputation: 2 917

0

Use nmap:

Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Rob

Posted 2011-06-25T12:04:00.727

Reputation: 9

3how do I find network nodes with nmap when I don't know the network? – gpresland – 2011-06-25T13:25:12.480

Asked: 2011-06-25T12:04:00.727

Viewed: 179 347 times

Active: 2017-10-15T19:12:29.550