Fishing for an unknown device

A customer bought a Linksys print server. It comes with a Windows CD that is supposed to allow you to configure the box, but with his Windows Vista machines, the print server couldn't be found. Probably the software doesn't work well with Vista.

More aggravatingly, I couldn't find a MAC address printed anywhere on the device, so I couldn't set an IP with arp -s (which then would have let me finish configuring the device using a browser).

Yes, someone pointed out how to get it to spit out a configuration page. This post really isn't about the Linksys, so read on.

What to do?

If you have a DHCP server anywhere in the network, the device will have obtained an IP address. The DHCP server should be able to show you addresses it has passed out. The only problem is recognizing it - if the server doesn't bother to show you when the DHCP lease was acquired, it may not be easy to spot the new addition.

That was my problem - too many leases and without the MAC address (and too many Linksys devices scattered about to start with), I couldn't spot it. Well, that's not entirely true: I probably could have, but I was also pressed for time: this was Boston job and it was getting later in the day and the last thing I want to do is be in Expressway traffic much after 2:00 PM.

So.. . I threw the Linksys in my car and drove home, avoiding rush hour by a comfortable margin.

Back home, I hooked up the print server to my network and was able to quickly spot it in the router's DHCP list. I typed that IP into a browser and now had access to the print server admin screens. That's great, but the customer's network is 192.168.24.0 and mine is 192.168.113.0. Simple enough to change that - I knew an available IP on their network, so I typed it in. Of course, immediately after doing so, I no longer had access to the print server, right?

Well, no. All I need to do is temporarily change my machine to use something in that range. The ethernet cables don't care if some of the devices are using one ip scheme and some are using others (a smart switch might care, but inexpensive little things like I use in my home do not).

Or could I use an alias. On the Mac, I'd do

sudo ifconfig en0 alias 192.168.24.12 netmask 255.255.255.0
 

For Linux, I'd do:

ifconfig eth0:0 192.168.24.12
 

(See Multiple IP addresses on one interface )

But what if I didn't have a DHCP server? The Linksys probably comes configured with some IP address (even if it is 0.0.0.0). If I don't know the MAC, and it isn't getting an IP from DHCP, how can I find it?

Ahh, that's not so easy. You could guess at the IP range: many devices default to 192.168.1.x or 192.168.2.x addresses; setting your machine to something in that range (or use an alias) would let you then do a discover ping (ping 192.168.1.255) or use "nmap nmap -s 192.168.4.0/24", but you might not find it if it isn't responding to ICMP. Yes, "nmap" can do a UDP scan, but again - who says this device will respond?

Well, nmap can test against ports you know it will respond on. For example, that print server is going to be listening on port 80. I could do nmap -p 80 192.168.11.0/24 - but again, I'm assuming the ip range and must be configured to be able to access that range.You can't use nmap to discover devices on networks your machine can't talk to.

Forget about the printserver - how can we find any unknown device?

I'm not aware of any generic layer 2 discovery software (just because I'm not aware of it doesn't mean it doesn't exist!), but you can use tcpdump. The problem is filtering out all the unrelated traffic. For example, I changed a spare Windows laptop to use 172.16.48.9 - that's outside of my normal network. In a few seconds, a "sudo tcpdump | grep 172.16" started showing activity:

11:31:05.578203 IP 172.16.48.9 > igmp.mcast.net: igmp v3 report, 1 group record(s)
11:31:05.579545 ARP, Request who-has 172.16.48.9 tell 172.16.48.9, length 46
11:31:05.883441 ARP, Request who-has 172.16.48.9 tell 172.16.48.9, length 46
11:31:06.517325 IP 172.16.48.9 > igmp.mcast.net: igmp v3 report, 1 group record(s)
 

But that was only easy to find because I knew I was looking for 172.16.

I could do "sudo tcpdump -n |grep -v 192.168" to cut down a lot of the noise - but if the device I want is in that range, I won't see it, so I have to be careful about what I exclude. Also, this depends upon the device being noisy - though at a power cycle almost any network device has to make SOME network noise.

A better way might be to use a Perl or Awk script that would sample tcpdump and extract unique IP addresses. That's not hard:

#!/usr/bin/perl
while (<>) {
 @stuff=split /\s+/;
 $ip=sprintf("%d.%d.%d.%d",split /\./,$stuff[2]) if $stuff[1] == "IP";
 $ip2=sprintf("%d.%d.%d.%d",split /\./,$stuff[4]) if $stuff[1] == "IP";

 if (not $stored{"$ip > $ip2"}) {
   print "$ip > $ip2 seen\n";
   $stored{"$ip > $ip2"}=1;
 }
 
}
 

I changed the Windows box to 172.16.13.98 and very quickly saw:

192.168.113.2 > 64.226.42.29 seen
64.226.42.29 > 192.168.113.2 seen
192.168.113.2 > 66.249.81.100 seen
66.249.81.100 > 192.168.113.2 seen
192.168.113.2 > 74.125.93.100 seen
172.16.13.98 > 224.0.0.251 seen
74.125.93.118 > 192.168.113.2 seen
192.168.113.2 > 74.125.93.118 seen
172.16.3.98 > 224.0.0.22 seen
0.0.0.0 > 172.16.3.98 seen
192.168.113.2 > 66.249.80.83 seen
66.249.80.83 > 192.168.113.2 seen
172.16.3.98 > 224.0.0.251 seen
172.16.3.98 > 239.255.255.250 seen
 

(bolding added)

Fairly easy to spot that (and eliminating 192.168 addresses would have made it even easier) - though for this, a simple sudo tcpdump -n | grep "who-has" would have worked well, too. The Perl script has the advantage of spotting any kind of activity (and just might show you activity you didn't expect!).

Did I miss anything? Do you have any tricks I forgot? Please do comment if you do.



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Fishing for an unknown network device

12 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Tue Nov 10 18:27:30 2009: 7512   TonyLawrence

gravatar
The tcpdump method could also be useful for determining if a suspect device is really broken or has just been misconfigured. Powercycle it while that's running and you may see it trying to do something fishy.





Tue Nov 10 18:55:17 2009: 7513   rbailin

gravatar
You could also go to the linksys website and RTFM (but there isn't one available for download). But, while you're there, you'll see a user forum article about how the PSUS4 print server isn't compatible with Windows 7, and that you'll have to configure it manually. They suggest that you press and hold the reset button on the print server for 3 seconds, and then release it. A diagnostic test page will print on a connected printer showing the current IP address (and probably the MAC address, too).





Tue Nov 10 18:58:45 2009: 7514   TonyLawrence

gravatar
If I hadn't been in such a damn hurry to beat traffic, I might have done that :-)







Tue Nov 10 19:07:29 2009: 7515   TonyLawrence

gravatar
It's apparently Bonjour compatible also, so if I were setting one up at home, I wouldn't have needed to do anything.

But that would take all the fun out and I'd have nothing to write about!

More importantly, this article was meant to explore finding ANY unknown device, not just a specific printserver.



Wed Nov 11 10:42:15 2009: 7520   NickBarron

gravatar
Excellent article Tony,

When I get a few moments I will have a go at some of those bits. One questions, the alias on OS X does it stay set after a restart? Also is there a manual way to remove it.

Thanks



Wed Nov 11 10:51:58 2009: 7521   NickBarron

gravatar
Sort of answered my own question on the alias front.

You can find the alias by funning ifconfig -en0 or whatever interface you are exploring

To remove it just follow the original command entered but add -alias instead of alias.

Not sure if it sticks after a restart yet as I don't have a box to hand I can happily restart.



Wed Nov 11 10:57:43 2009: 7522   NickBarron

gravatar
A restart flushes the alias it seems. Right no SPAM from me on this thread!



Wed Nov 11 12:26:38 2009: 7525   TonyLawrence

gravatar
Correct.

If you added

sudo ifconfig en0 alias 192.168.24.12 netmask 255.255.255.0

then

sudo ifconfig en0 -alias 192.168.24.12

removes it.

No, it doesn't "stick", but you can add it to startup scripts.
(See
(link) )








Wed Nov 11 15:45:48 2009: 7528   BruceGarlock

gravatar
I run 'arpwatch' on my server for this very thing. Anything new plugged into the network, and I get an email with the MAC address or DHCP IP address that it got. So far, it has not let me know with many different types of print servers from several manufacturers..






Wed Nov 11 19:25:22 2009: 7530   TonyLawrence

gravatar
Looks like arpwatch uses tcpdump?



Wed Nov 11 19:46:24 2009: 7531   TonyLawrence

gravatar
I'm having no luck with arpwatch installed from Darwinports. It just fails.

By the way, why does the Darwin ports install stupidly update .profile instead of .bash_profile? Don't they know Bash has been the default shell for som time now?

I have to say that I had Darwin ports installed some number of versions back ad ended up removing it because so much of the software had problems. I hope this isn't going to be a repeat.





------------------------
Kerio Samepage


Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us