Solved

Find Unknown IP

Posted on 2009-04-07
22
371 Views
Last Modified: 2012-05-06
I have been trying to track down the owner of a unknown IP address for about a week now and its driving me crazy cause I cant find it. The ip address is excluded from Windows 2003 DHCP distrubution. I have verified all static IPs of printers, and servers - I have done a port scan and all ports are closed, I have tried to run psexec cmd to see if I could get into cmd, I have tried to open the ip in a web browser, I have tried to run a packet capture on the ip (no packets seem to be sent of received). Is there any other way I can figure out what this IP belongs too?

BTW I do know what the MAC address is

TIA
0
Comment
Question by:modest911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 6
22 Comments
 
LVL 5

Accepted Solution

by:
johannortje earned 250 total points
ID: 24086512
nbtstat -A xx.xx.xx.xx

Have you tried a reverse DNS lookup on the xx.xx.xx.1, as .1 might be the router/switch (commonly) ?
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24086548
Look at the ARP table on your switches. It should tell you which port it is plugged into if you have the MAC. You could also try looking at the ARp table on the server by typeing arp -a at the command prompt. Is this a DHCP address or a static IP? If you have laptops on your LAN, remember, if it is plugged in, the wired NIC & the wireless NIC will have an IP if you have wireless & it is wired in.
0
 
LVL 2

Author Comment

by:modest911
ID: 24086551
This is the results -

C:\>nbtstat -a 10.0.0.14

Local Area Connection:
Node IpAddress: [10.0.0.254] Scope Id: []

    Host not found.

Wireless Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 2

Author Comment

by:modest911
ID: 24086577
I have unmanaged switches. This is a static ip in the excluded ip ranged.

If I do arp - a on the server it does not show the 14 ip address. If I do arp -a on my client it shows as dynamic
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24086608
Have you tried a ping -a to see if you can get the name of the device with the IP? Also, have you tried http://www.coffer.com/mac_find/ to type the MAC in to give you a better idea of what it is? If you can do a regular ping on the device, try to telnet into it or click start>run & type in mstsc to see if you can remote into it. Keep us updated.
0
 
LVL 2

Author Comment

by:modest911
ID: 24086646
Yeah I also tried RDP and VNC -


Cool that coffee link is awesome - But it shows a vendor we use a lot of here - haha - Still cool though.

Ping -a just gives good replies


C:\>ping -a 10.0.0.14

Pinging 10.0.0.14 with 32 bytes of data:
Reply from 10.0.0.14: bytes=32 time=50ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=26ms TTL=128
Reply from 10.0.0.14: bytes=32 time=45ms TTL=128

Ping statistics for 10.0.0.14:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 26ms, Maximum = 50ms, Average = 36ms

0
 
LVL 2

Author Comment

by:modest911
ID: 24086665
So now I am googling the prefix "00188B"
0
 
LVL 15

Assisted Solution

by:wantabe2
wantabe2 earned 250 total points
ID: 24086827
While we're on the subject of cool tools.... download this http://sourceforge.net/project/showfiles.php?group_id=171954

This is called Lazy Admin. I use it all the time. With this you can type in the IP address of the device & you have several options to choose from. Basically this tool runs a WMI script to that IP address. It will show you what it is, what services are running, what applications are running or installed, well...it will show everything possible about the device. Let me know what you think about it. I'm sure you will be able to solve your problem with Lazy Admin. Post the results here if you don't mind so I can help.
0
 
LVL 2

Author Comment

by:modest911
ID: 24087005
TLA is nice app - Thanks for that also. But, no joy. I am starting to think maybe someone has a printer on the network that is shared. I am starting to walk office to office - haha


TLA results for 10.0.0.14:
-------------------------------------------
10.0.0.14: Could not get installdate, uptime and installed version!
10.0.0.14: Could not get hosname, model or manufacturer
10.0.0.14: Could not get processor info
10.0.0.14: Could not get drive information!
10.0.0.14: Could not get network adapter information!
10.0.0.14: Error getting BIOS information!
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24087053
Hmmm....have you ever used Ethereal (now its called Wireshark)? You can run a capture on the MAC...I'm not sure on the command but it will be something similar to ether mac xx:xx:xx:xx:xx:xx though. From the tools you've used, it sounds like this is not a computer. It could even be one of the newer cell phones or IPODS.
0
 
LVL 2

Author Comment

by:modest911
ID: 24087076
Yeah I tried running a paket capture and its not capturing anything. Its like its just sitting doing nothing. From that coffer link above it shows as a dell device. That is why I am thinking it might be a "personal" printer. I have one more persons office to check. I will post results.
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24087144
If it's a Dell printer with an IP, you should be able to open your browser & type the IP in & go to the admin page.
0
 
LVL 2

Author Comment

by:modest911
ID: 24087163
Yeah - Maybe its not a printer then - I already tried to pull up a web browser admin page.

Weird thing just happend - I tried to ping the IP from the DHCP server and I cant ping it. But, I can ping it from my client. I am about to shut down my computer and see if I can ping the ip from another computer. Maybe it has something to do with me. I have no idea. haha
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 24087193
Hmmm
Check you DNS server & make sure there is not 2 hostA records with the same IP address but with different names.
0
 
LVL 2

Author Comment

by:modest911
ID: 24087252
thats the weird thing - the ip in question is no where in DNS
0
 
LVL 2

Author Comment

by:modest911
ID: 24087352
Okay I can ping the questionable IP from just about every machine except one server that I said I couldnt ping form above. this server does have two nic' s - But, one of them is disabled with a"dummy" ip
0
 
LVL 2

Author Comment

by:modest911
ID: 24089299
Well I have accounted for all personal printers. So back to square one - I have no idea. haha
0
 
LVL 2

Author Comment

by:modest911
ID: 24137863
As you guessed it I still havent found the mystery IP. haha
0
 
LVL 2

Author Comment

by:modest911
ID: 24251627
Nope still havent found the IP - Weird thing is. I blocked access to any system resources internally and externally for this IP and I am not getting any alerts in the firewall for it. So, what ever it is - Its not doing anything, just sitting there.
0
 
LVL 2

Author Comment

by:modest911
ID: 24252032
I did figure this out in Ubuntu with networking tools lookup

Name: 0.0.10.in.addrarpa
TTL:3600
Address Type: In
Record:SOA
Address: myserver.domain.com.admin.domain.com 23586 900 600 86400 3600
0
 
LVL 2

Author Comment

by:modest911
ID: 24305563
Finally found the unknown IP. It is a BMC Remote Access card on one of my servers. I am going to split points because I learned some new ideas with this problem and help
0
 
LVL 2

Author Closing Comment

by:modest911
ID: 31567463
Giving points due to the fact I learned about new tools and ideas.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
software inventory tools 3 68
Cisco Licensing for Wi Fi 4 53
Port to open for RDP connection to VM in DMZ ? 5 69
pfsense upgrade from 2.2.6 to 2.3.3 28 30
Let’s list some of the technologies that enable smooth teleworking. 
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question