Find Unknown IP

I have been trying to track down the owner of a unknown IP address for about a week now and its driving me crazy cause I cant find it. The ip address is excluded from Windows 2003 DHCP distrubution. I have verified all static IPs of printers, and servers - I have done a port scan and all ports are closed, I have tried to run psexec cmd to see if I could get into cmd, I have tried to open the ip in a web browser, I have tried to run a packet capture on the ip (no packets seem to be sent of received). Is there any other way I can figure out what this IP belongs too?

BTW I do know what the MAC address is

TIA
LVL 2
modest911Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
johannortjeConnect With a Mentor Commented:
nbtstat -A xx.xx.xx.xx

Have you tried a reverse DNS lookup on the xx.xx.xx.1, as .1 might be the router/switch (commonly) ?
0
 
wantabe2Commented:
Look at the ARP table on your switches. It should tell you which port it is plugged into if you have the MAC. You could also try looking at the ARp table on the server by typeing arp -a at the command prompt. Is this a DHCP address or a static IP? If you have laptops on your LAN, remember, if it is plugged in, the wired NIC & the wireless NIC will have an IP if you have wireless & it is wired in.
0
 
modest911Author Commented:
This is the results -

C:\>nbtstat -a 10.0.0.14

Local Area Connection:
Node IpAddress: [10.0.0.254] Scope Id: []

    Host not found.

Wireless Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
modest911Author Commented:
I have unmanaged switches. This is a static ip in the excluded ip ranged.

If I do arp - a on the server it does not show the 14 ip address. If I do arp -a on my client it shows as dynamic
0
 
wantabe2Commented:
Have you tried a ping -a to see if you can get the name of the device with the IP? Also, have you tried http://www.coffer.com/mac_find/ to type the MAC in to give you a better idea of what it is? If you can do a regular ping on the device, try to telnet into it or click start>run & type in mstsc to see if you can remote into it. Keep us updated.
0
 
modest911Author Commented:
Yeah I also tried RDP and VNC -


Cool that coffee link is awesome - But it shows a vendor we use a lot of here - haha - Still cool though.

Ping -a just gives good replies


C:\>ping -a 10.0.0.14

Pinging 10.0.0.14 with 32 bytes of data:
Reply from 10.0.0.14: bytes=32 time=50ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=45ms TTL=128

Ping statistics for 10.0.0.14:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 26ms, Maximum = 50ms, Average = 36ms

0
 
modest911Author Commented:
So now I am googling the prefix "00188B"
0
 
wantabe2Connect With a Mentor Commented:
While we're on the subject of cool tools.... download this http://sourceforge.net/project/showfiles.php?group_id=171954

This is called Lazy Admin. I use it all the time. With this you can type in the IP address of the device & you have several options to choose from. Basically this tool runs a WMI script to that IP address. It will show you what it is, what services are running, what applications are running or installed, well...it will show everything possible about the device. Let me know what you think about it. I'm sure you will be able to solve your problem with Lazy Admin. Post the results here if you don't mind so I can help.
0
 
modest911Author Commented:
TLA is nice app - Thanks for that also. But, no joy. I am starting to think maybe someone has a printer on the network that is shared. I am starting to walk office to office - haha


TLA results for 10.0.0.14:
-------------------------------------------
10.0.0.14: Could not get installdate, uptime and installed version!
10.0.0.14: Could not get hosname, model or manufacturer
10.0.0.14: Could not get processor info
10.0.0.14: Could not get drive information!
10.0.0.14: Could not get network adapter information!
10.0.0.14: Error getting BIOS information!
0
 
wantabe2Commented:
Hmmm....have you ever used Ethereal (now its called Wireshark)? You can run a capture on the MAC...I'm not sure on the command but it will be something similar to ether mac xx:xx:xx:xx:xx:xx though. From the tools you've used, it sounds like this is not a computer. It could even be one of the newer cell phones or IPODS.
0
 
modest911Author Commented:
Yeah I tried running a paket capture and its not capturing anything. Its like its just sitting doing nothing. From that coffer link above it shows as a dell device. That is why I am thinking it might be a "personal" printer. I have one more persons office to check. I will post results.
0
 
wantabe2Commented:
If it's a Dell printer with an IP, you should be able to open your browser & type the IP in & go to the admin page.
0
 
modest911Author Commented:
Yeah - Maybe its not a printer then - I already tried to pull up a web browser admin page.

Weird thing just happend - I tried to ping the IP from the DHCP server and I cant ping it. But, I can ping it from my client. I am about to shut down my computer and see if I can ping the ip from another computer. Maybe it has something to do with me. I have no idea. haha
0
 
wantabe2Commented:
Hmmm
Check you DNS server & make sure there is not 2 hostA records with the same IP address but with different names.
0
 
modest911Author Commented:
thats the weird thing - the ip in question is no where in DNS
0
 
modest911Author Commented:
Okay I can ping the questionable IP from just about every machine except one server that I said I couldnt ping form above. this server does have two nic' s - But, one of them is disabled with a"dummy" ip
0
 
modest911Author Commented:
Well I have accounted for all personal printers. So back to square one - I have no idea. haha
0
 
modest911Author Commented:
As you guessed it I still havent found the mystery IP. haha
0
 
modest911Author Commented:
Nope still havent found the IP - Weird thing is. I blocked access to any system resources internally and externally for this IP and I am not getting any alerts in the firewall for it. So, what ever it is - Its not doing anything, just sitting there.
0
 
modest911Author Commented:
I did figure this out in Ubuntu with networking tools lookup

Name: 0.0.10.in.addrarpa
TTL:3600
Address Type: In
Record:SOA
Address: myserver.domain.com.admin.domain.com 23586 900 600 86400 3600
0
 
modest911Author Commented:
Finally found the unknown IP. It is a BMC Remote Access card on one of my servers. I am going to split points because I learned some new ideas with this problem and help
0
 
modest911Author Commented:
Giving points due to the fact I learned about new tools and ideas.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.