APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Fishing for an unknown device

© November 2009 Anthony Lawrence

A customer bought a Linksys print server. It comes with a Windows CD that is supposed to allow you to configure the box, but with his Windows Vista machines, the print server couldn't be found. Probably the software doesn't work well with Vista.

More aggravatingly, I couldn't find a MAC address printed anywhere on the device, so I couldn't set an IP with arp -s (which then would have let me finish configuring the device using a browser).

Yes, someone pointed out how to get it to spit out a configuration page. This post really isn't about the Linksys, so read on.

What to do?

If you have a DHCP server anywhere in the network, the device will have obtained an IP address. The DHCP server should be able to show you addresses it has passed out. The only problem is recognizing it - if the server doesn't bother to show you when the DHCP lease was acquired, it may not be easy to spot the new addition.

That was my problem - too many leases and without the MAC address (and too many Linksys devices scattered about to start with), I couldn't spot it. Well, that's not entirely true: I probably could have, but I was also pressed for time: this was Boston job and it was getting later in the day and the last thing I want to do is be in Expressway traffic much after 2:00 PM.

So.. . I threw the Linksys in my car and drove home, avoiding rush hour by a comfortable margin.

Back home, I hooked up the print server to my network and was able to quickly spot it in the router's DHCP list. I typed that IP into a browser and now had access to the print server admin screens. That's great, but the customer's network is and mine is Simple enough to change that - I knew an available IP on their network, so I typed it in. Of course, immediately after doing so, I no longer had access to the print server, right?

Well, no. All I need to do is temporarily change my machine to use something in that range. The ethernet cables don't care if some of the devices are using one ip scheme and some are using others (a smart switch might care, but inexpensive little things like I use in my home do not).

Or could I use an alias. On the Mac, I'd do

sudo ifconfig en0 alias netmask

For Linux, I'd do:

ifconfig eth0:0

(See Multiple IP addresses on one interface )

But what if I didn't have a DHCP server? The Linksys probably comes configured with some IP address (even if it is If I don't know the MAC, and it isn't getting an IP from DHCP, how can I find it?

Ahh, that's not so easy. You could guess at the IP range: many devices default to 192.168.1.x or 192.168.2.x addresses; setting your machine to something in that range (or use an alias) would let you then do a discover ping (ping or use "nmap nmap -s", but you might not find it if it isn't responding to ICMP. Yes, "nmap" can do a UDP scan, but again - who says this device will respond?

Well, nmap can test against ports you know it will respond on. For example, that print server is going to be listening on port 80. I could do nmap -p 80 - but again, I'm assuming the ip range and must be configured to be able to access that range.You can't use nmap to discover devices on networks your machine can't talk to.

Forget about the printserver - how can we find any unknown device?

I'm not aware of any generic layer 2 discovery software (just because I'm not aware of it doesn't mean it doesn't exist!), but you can use tcpdump. The problem is filtering out all the unrelated traffic. For example, I changed a spare Windows laptop to use - that's outside of my normal network. In a few seconds, a "sudo tcpdump | grep 172.16" started showing activity:

11:31:05.578203 IP > igmp.mcast.net: igmp v3 report, 1 group record(s)
11:31:05.579545 ARP, Request who-has tell, length 46
11:31:05.883441 ARP, Request who-has tell, length 46
11:31:06.517325 IP > igmp.mcast.net: igmp v3 report, 1 group record(s)

But that was only easy to find because I knew I was looking for 172.16.

I could do "sudo tcpdump -n |grep -v 192.168" to cut down a lot of the noise - but if the device I want is in that range, I won't see it, so I have to be careful about what I exclude. Also, this depends upon the device being noisy - though at a power cycle almost any network device has to make SOME network noise.

A better way might be to use a Perl or Awk script that would sample tcpdump and extract unique IP addresses. That's not hard:

while (<>) {
 @stuff=split /\s+/;
 $ip=sprintf("%d.%d.%d.%d",split /\./,$stuff[2]) if $stuff[1] == "IP";
 $ip2=sprintf("%d.%d.%d.%d",split /\./,$stuff[4]) if $stuff[1] == "IP";

 if (not $stored{"$ip > $ip2"}) {
   print "$ip > $ip2 seen\n";
   $stored{"$ip > $ip2"}=1;

I changed the Windows box to and very quickly saw: > seen > seen > seen > seen > seen > seen > seen > seen > seen > seen > seen > seen > seen > seen

(bolding added)

Fairly easy to spot that (and eliminating 192.168 addresses would have made it even easier) - though for this, a simple sudo tcpdump -n | grep "who-has" would have worked well, too. The Perl script has the advantage of spotting any kind of activity (and just might show you activity you didn't expect!).

Did I miss anything? Do you have any tricks I forgot? Please do comment if you do.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Fishing for an unknown network device


Inexpensive and informative Apple related e-books:

Take Control of Pages

Take Control of Upgrading to El Capitan

Take Control of IOS 11

Take Control of High Sierra

Take Control of the Mac Command Line with Terminal, Second Edition

More Articles by © Anthony Lawrence

Tue Nov 10 18:27:30 2009: 7512   TonyLawrence

The tcpdump method could also be useful for determining if a suspect device is really broken or has just been misconfigured. Powercycle it while that's running and you may see it trying to do something fishy.

Tue Nov 10 18:55:17 2009: 7513   rbailin

You could also go to the linksys website and RTFM (but there isn't one available for download). But, while you're there, you'll see a user forum article about how the PSUS4 print server isn't compatible with Windows 7, and that you'll have to configure it manually. They suggest that you press and hold the reset button on the print server for 3 seconds, and then release it. A diagnostic test page will print on a connected printer showing the current IP address (and probably the MAC address, too).

Tue Nov 10 18:58:45 2009: 7514   TonyLawrence

If I hadn't been in such a damn hurry to beat traffic, I might have done that :-)

Tue Nov 10 19:07:29 2009: 7515   TonyLawrence

It's apparently Bonjour compatible also, so if I were setting one up at home, I wouldn't have needed to do anything.

But that would take all the fun out and I'd have nothing to write about!

More importantly, this article was meant to explore finding ANY unknown device, not just a specific printserver.

Wed Nov 11 10:42:15 2009: 7520   NickBarron

Excellent article Tony,

When I get a few moments I will have a go at some of those bits. One questions, the alias on OS X does it stay set after a restart? Also is there a manual way to remove it.


Wed Nov 11 10:51:58 2009: 7521   NickBarron

Sort of answered my own question on the alias front.

You can find the alias by funning ifconfig -en0 or whatever interface you are exploring

To remove it just follow the original command entered but add -alias instead of alias.

Not sure if it sticks after a restart yet as I don't have a box to hand I can happily restart.

Wed Nov 11 10:57:43 2009: 7522   NickBarron

A restart flushes the alias it seems. Right no SPAM from me on this thread!

Wed Nov 11 12:26:38 2009: 7525   TonyLawrence


If you added

sudo ifconfig en0 alias netmask


sudo ifconfig en0 -alias

removes it.

No, it doesn't "stick", but you can add it to startup scripts.
(See (link) )

Wed Nov 11 15:45:48 2009: 7528   BruceGarlock

I run 'arpwatch' on my server for this very thing. Anything new plugged into the network, and I get an email with the MAC address or DHCP IP address that it got. So far, it has not let me know with many different types of print servers from several manufacturers..

Wed Nov 11 19:25:22 2009: 7530   TonyLawrence

Looks like arpwatch uses tcpdump?

Wed Nov 11 19:46:24 2009: 7531   TonyLawrence

I'm having no luck with arpwatch installed from Darwinports. It just fails.

By the way, why does the Darwin ports install stupidly update .profile instead of .bash_profile? Don't they know Bash has been the default shell for som time now?

I have to say that I had Darwin ports installed some number of versions back ad ended up removing it because so much of the software had problems. I hope this isn't going to be a repeat.


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Actually I made up the term "object-oriented", and I can tell you I did not have C++ in mind. (Alan Kay)

Linux posts

Troubleshooting posts

This post tagged:




Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode