It happens to all I.T. guys sooner or later. You have a device on a network (maybe yours, or maybe a customers) and you need to figure out what IP address that device has. Some devices will provide this information via a console port, or maybe you can check your DHCP server’s reservation list… but what if you do not have access to any of these methods?
Well I am here to tell you there is another way!
The answer is Wireshark.
There’s a few different methods you can use to track down unknown IP addresses using Wireshark, I’ll cover the few different ways that I use.
This is probably the easiest way and the method that most people I talk to use, however it requires that you know the devices mac ID or mac Address. Doing it this way, you can leave the device on the existing network and simply set up a filter for the devices mac ID. For example, if the devices mac was 00:02:69:03:2D:11 then you would use a filter something like this:
eth.addr == 00:02:69:03:2d:11
When you start the capture, depending on how much (if any) traffic is going through, you should see the device IP address show up under either source or destination.
Looking at the image above, since I know my PC IP address is 172.16.248.21, I can tell that the device has an IP of 172.16.248.232! Perfect!
Now what if you don’t know the mac address?
It gets a little more tricky. If I don’t have the mac, usually I will remove the device off the existing network and place it into a test network with only my Wireshark PC and the device itself to prevent any excess network traffic. This is by far the easiest method where possible, however I realize there are times where this might not be possible either.
The next option would be to reboot the device. While a device is powering up, it will always send out ARP broadcasts across the network. If it uses DHCP, the ARP will be after it contacts the DHCP server and requests an IP. While the device is booting up, you should see something similar to this:
I won’t go into extensive technical details here, but the gist of it is that the device is broadcasting across the network looking for a DHCP server, when it replies then the device will request an IP address. When the DHCP server assigns an IP address, the device will then send out an ARP identifying what IP address it has (which is the last line in the image). Again, based of this, we now know the device has an IP of 172.16.248.232.
Of course, this is only a very small portion of the capabilities of network monitoring with Wireshark, but by far this is one of the most useful tools any I.T. person can have in their toolbox.