modest911
asked on
Find Unknown IP
I have been trying to track down the owner of a unknown IP address for about a week now and its driving me crazy cause I cant find it. The ip address is excluded from Windows 2003 DHCP distrubution. I have verified all static IPs of printers, and servers - I have done a port scan and all ports are closed, I have tried to run psexec cmd to see if I could get into cmd, I have tried to open the ip in a web browser, I have tried to run a packet capture on the ip (no packets seem to be sent of received). Is there any other way I can figure out what this IP belongs too?
BTW I do know what the MAC address is
TIA
BTW I do know what the MAC address is
TIA
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
wantabe2
Look at the ARP table on your switches. It should tell you which port it is plugged into if you have the MAC. You could also try looking at the ARp table on the server by typeing arp -a at the command prompt. Is this a DHCP address or a static IP? If you have laptops on your LAN, remember, if it is plugged in, the wired NIC & the wireless NIC will have an IP if you have wireless & it is wired in.
ASKER
This is the results -
C:\>nbtstat -a 10.0.0.14
Local Area Connection:
Node IpAddress: [10.0.0.254] Scope Id: []
Host not found.
Wireless Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []
Host not found.
C:\>nbtstat -a 10.0.0.14
Local Area Connection:
Node IpAddress: [10.0.0.254] Scope Id: []
Host not found.
Wireless Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []
Host not found.
ASKER
I have unmanaged switches. This is a static ip in the excluded ip ranged.
If I do arp - a on the server it does not show the 14 ip address. If I do arp -a on my client it shows as dynamic
If I do arp - a on the server it does not show the 14 ip address. If I do arp -a on my client it shows as dynamic
Have you tried a ping -a to see if you can get the name of the device with the IP? Also, have you tried http://www.coffer.com/mac_find/ to type the MAC in to give you a better idea of what it is? If you can do a regular ping on the device, try to telnet into it or click start>run & type in mstsc to see if you can remote into it. Keep us updated.
ASKER
Yeah I also tried RDP and VNC -
Cool that coffee link is awesome - But it shows a vendor we use a lot of here - haha - Still cool though.
Ping -a just gives good replies
C:\>ping -a 10.0.0.14
Pinging 10.0.0.14 with 32 bytes of data:
Reply from 10.0.0.14: bytes=32 time=50ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=45ms TTL=128
Ping statistics for 10.0.0.14:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 26ms, Maximum = 50ms, Average = 36ms
Cool that coffee link is awesome - But it shows a vendor we use a lot of here - haha - Still cool though.
Ping -a just gives good replies
C:\>ping -a 10.0.0.14
Pinging 10.0.0.14 with 32 bytes of data:
Reply from 10.0.0.14: bytes=32 time=50ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=45ms TTL=128
Ping statistics for 10.0.0.14:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 26ms, Maximum = 50ms, Average = 36ms
ASKER
So now I am googling the prefix "00188B"
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
TLA is nice app - Thanks for that also. But, no joy. I am starting to think maybe someone has a printer on the network that is shared. I am starting to walk office to office - haha
TLA results for 10.0.0.14:
--------------------------
10.0.0.14: Could not get installdate, uptime and installed version!
10.0.0.14: Could not get hosname, model or manufacturer
10.0.0.14: Could not get processor info
10.0.0.14: Could not get drive information!
10.0.0.14: Could not get network adapter information!
10.0.0.14: Error getting BIOS information!
TLA results for 10.0.0.14:
--------------------------
10.0.0.14: Could not get installdate, uptime and installed version!
10.0.0.14: Could not get hosname, model or manufacturer
10.0.0.14: Could not get processor info
10.0.0.14: Could not get drive information!
10.0.0.14: Could not get network adapter information!
10.0.0.14: Error getting BIOS information!
Hmmm....have you ever used Ethereal (now its called Wireshark)? You can run a capture on the MAC...I'm not sure on the command but it will be something similar to ether mac xx:xx:xx:xx:xx:xx though. From the tools you've used, it sounds like this is not a computer. It could even be one of the newer cell phones or IPODS.
ASKER
Yeah I tried running a paket capture and its not capturing anything. Its like its just sitting doing nothing. From that coffer link above it shows as a dell device. That is why I am thinking it might be a "personal" printer. I have one more persons office to check. I will post results.
If it's a Dell printer with an IP, you should be able to open your browser & type the IP in & go to the admin page.
ASKER
Yeah - Maybe its not a printer then - I already tried to pull up a web browser admin page.
Weird thing just happend - I tried to ping the IP from the DHCP server and I cant ping it. But, I can ping it from my client. I am about to shut down my computer and see if I can ping the ip from another computer. Maybe it has something to do with me. I have no idea. haha
Weird thing just happend - I tried to ping the IP from the DHCP server and I cant ping it. But, I can ping it from my client. I am about to shut down my computer and see if I can ping the ip from another computer. Maybe it has something to do with me. I have no idea. haha
Hmmm
Check you DNS server & make sure there is not 2 hostA records with the same IP address but with different names.
Check you DNS server & make sure there is not 2 hostA records with the same IP address but with different names.
ASKER
thats the weird thing - the ip in question is no where in DNS
ASKER
Okay I can ping the questionable IP from just about every machine except one server that I said I couldnt ping form above. this server does have two nic' s - But, one of them is disabled with a"dummy" ip
ASKER
Well I have accounted for all personal printers. So back to square one - I have no idea. haha
ASKER
As you guessed it I still havent found the mystery IP. haha
ASKER
Nope still havent found the IP - Weird thing is. I blocked access to any system resources internally and externally for this IP and I am not getting any alerts in the firewall for it. So, what ever it is - Its not doing anything, just sitting there.
ASKER
I did figure this out in Ubuntu with networking tools lookup
Name: 0.0.10.in.addrarpa
TTL:3600
Address Type: In
Record:SOA
Address: myserver.domain.com.admin.
Name: 0.0.10.in.addrarpa
TTL:3600
Address Type: In
Record:SOA
Address: myserver.domain.com.admin.
ASKER
Finally found the unknown IP. It is a BMC Remote Access card on one of my servers. I am going to split points because I learned some new ideas with this problem and help
ASKER
Giving points due to the fact I learned about new tools and ideas.