IP Addresses: Lost and Found (Part 1 of 2)

19.09.2013 Gilbert Liu

How many times have you been unsuccessful in trying to find the IP address of a device using an IP scanner? Too many to count, some might say.

But why?

Most IP scanners are ineffective at looking across an entire network. Usually they will only scan IP addresses within the subnet of the connected network.  These scanners often determine device information by cycling through a pre-defined IP address range and reading a combination of received information such as ICMP echoes (pings) and reverse DNS lookups.

The reality of the problem is that the device doesn’t always lie on the same subnet as the computer that’s doing the IP scanning. In the event that it is, there is still no guarantee that your device will respond to ICMP echoes (ping requests). It’s an unreliable method and if you ask me – a time waster.

Fortunately, a powerful tool is here to help – Wireshark.

Some say it’s the network engineer’s equivalent of a Swiss army knife. We couldn’t agree more. It features packet inspection, filtering, capturing, and a whole host of useful extras. This tool may be new to some, in which case some excellent tutorials to give you a kick-start are available here:

Once you are already familiar with using Wireshark, finding the IP address of another device on the network is relatively straightforward. This is possible even if the device is on a different subnet and doesn’t respond to any ICMP requests.

This tutorial will cover finding the static IP of any IP based devices. This is possible because the IP protocol has built in mechanisms for hardware address resolution. We utilise this mechanism because 99.9% (unless it follows another standard) of the time it will issue an ARP request on start-up, broadcasting its IP to virtually everyone on the network.

Ideally, this should be performed on a wired network and also isolated to only contain your computer running Wireshark, a switch, and your device. This makes your device unique, allowing the user to find the MAC address of the device if it is unknown.

Here's how -

  1. Start a capture on Wireshark.
  2. Filter packets based on MAC address.

    This is done by navigating to Statistics > Endpoints on the main toolbar. The main purpose of this window is for hardware address filtering of the captured packets.

    By default, Wireshark will have automatic name resolution enabled. This shows the manufacturer name of the device. To show the full device MAC address, simply deselect the resolution check box.
  3. Inspecting the ARP requests.

    The ARP requests will contain IP and MAC address information regarding the sender and receiving parties. Upon inspection, the important ARP requests are those which are sent by the device.

    It is possible to filter for only that device by using its MAC address in the filter area as:
  4. Searching for the sender IP.

    The sender IP can be found within the ARP request packet. This will be your device IP.

It is a very simple process, yet only possible with a powerful protocol analyser like Wireshark. However, depending on the configuration of your device, there may be situations where an IP of a device is set by DHCP or BootP.

To find out how to recover or set the IP address using these methods, stay tuned for more in part 2 of the series.


More by Gilbert Liu

IP Addresses: Lost and Found (Part 2 of 2)

Virtualisation - an Engineer’s swiss army knife

Reducing Risk of Customer Plant Upgrades