Wireshark · Wireshark-users: Re: [Wireshark-users] Can Wireshark tell me the IP and mac of a device, before it's on the network?

Wireshark-users: Re: [Wireshark-users] Can Wireshark tell me the IP and mac of a device, before i

From: Julian Fielding <jfielding@xxxxxxxxxxxxxxx>

Date: Wed, 15 Apr 2009 22:14:25 +0100

John Arwine wrote on Tue, 14 Apr 2009 09:46:58 -0700
[paraphrased]
> Is there some method by which I can use a laptop and Wireshark to
> capture an unknown device's MAC and IP addresses?

Most devices send a few packets shortly after power up, you just have to 
be ready to capture them.

Make a minimal isolated network, ideally with a genuine hub and just two 
connections: the Wireshark PC and the unknown device. If you can't find a 
genuine hub, use one of the following:

- Simple (unmanaged) switch.
- Crossed cable.
- Managed swich. (Disable STP on the two ports you will use.)

The point of this is to be ready as quickly as possible. STP can cause a 
long delay before the switch port is enabled. A crossed cable might cause 
some delay depending on how long the PC's interface and driver take to 
initialise.

The expected packets are broadcast, that's why an unmanaged switch is OK. 
For the same reason, you don't need to configure port mirroring on a 
managed switch.

Do anything necessary to make the PC's Ethernet interface happy while 
isolated. This might mean giving it a static IP address instead of using 
DHCP. Any legal address will do.

Start Wireshark capturing in promiscuous mode. Update in real time. Power 
up the unknown device. If it has an IP address it will probably send 
several ARP packets. either gratuitous ARPs (ARPs to itself) or ACD probes 
followed by announcements (Address Conflict Detection, RFC5227). Otherwise 
it will probably send a BOOTP/DHCP request.

Look at the Ethernet layer in Wireshark's middle window, note the source 
address of any packet not sent by the PC.

If the unknown device sends an ARP, expand that in the middle window. Look 
at Sender IP address. If it's not 0.0.0.0 then it's the device's IP 
address. If it is 0.0.0.0 look at Target IP address. This is an ACD probe, 
the device is checking for anything else at the IP address it wants to 
use. If there's no response after a few probes it will send ACD 
announcements, which are the same as gratuitous ARPs.

If the device does not send ARP or BOOTP at power up, wait for a minute or 
so. If it sends anything you will at least have its MAC. If not, read its 
manual and do whatever the manufacturer says to give it an IP address, 
then repeat the test. (Remember, this is an isolated network, you can give 
it any address.)

If that doesn't work search for a MAC label with a magnifying glass!

Julian.

Prev by Date: [Wireshark-users] Lua dissector examples
Next by Date: Re: [Wireshark-users] Removing Interfaces
Previous by thread: [Wireshark-users] Lua dissector examples
Next by thread: [Wireshark-users] FW: Dumpcap timestamp discrepancy
Index(es):
- Date
- Thread