Solved

Find Machine/IP address from MAC address

Posted on 2009-05-08
30
2,474 Views
Last Modified: 2012-05-06
Unfortunately I do not have a managed switch, so I cannot find the IP from a MAC address that way. I do however have a SonicWall Firewall and an IP scanner at my disposal.

Here is the problem. I am getting these messages from my SonicWall TZ170.
I need to locate the machine using this IP: 169.24.99.10
OR this MAC Address 00:08:c7:4f:f6:e9

Any help is appreciated.

Time: 05/08/2009 16:51:39
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.24.99.10, 137, LAN
Destination: 10.81.34.9, 137, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:43:24
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 3422, LAN
Destination: 10.81.2.1, 139, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:37:56
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 137, LAN
Destination: 10.83.1.1, 137, LAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:35:28
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 137, LAN
Destination: 10.83.1.1, 137, LAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:31:23
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 3357, LAN
Destination: 10.81.34.21, 139, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:25:12
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 137, LAN
Destination: 10.81.2.20, 137, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:22:59
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 3227, LAN
Destination: 10.81.32.5, 139, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9
0
Comment
Question by:pzozulka
  • 11
  • 8
  • 4
  • +4
30 Comments
 
LVL 3

Expert Comment

by:nhenny2009
Comment Utility
IP addresses starting with 169.254 usually mean DHCP failure
0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
Yes I know. But my question is I have an IP address starting with 169.xx.xx.xx and I have a MAC address. I need to find the machine that this info belongs to.
0
 

Expert Comment

by:SPremeau
Comment Utility
The mac address is a Hewlett Packard device, depending on your environment, this may narrow down your search.

If you have an IP scanner, you may be able to scan your known range and see if you can hit the mac address on another IP, which may help you find it.

Second choice would be to get another machine on the same network (ie, configure it to 169.254.99.254 and see if you can talk to it enough to figure out what it is.
0
 
LVL 1

Expert Comment

by:msn-expert
Comment Utility
even without a managed switch, your router should give you a list of all the devices connected- short name, ip, mac
try snooping around in your routers settings (usually 192.168.1.1)

or
Please provide us with your router type / make model
0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
If for the Router you are referring to the Default Gateway, it is a SonicWall TZ170 Firewall. IP = 10.83.1.1
0
 
LVL 1

Expert Comment

by:msn-expert
Comment Utility
If other computers can connect to it, it also is a router.
Try typing 10.83.1.1 in your web browser, that should get you into your settings
0
 
LVL 12

Accepted Solution

by:
coredatarecovery earned 250 total points
Comment Utility
This could be as innocent as someone who has setup a linksys router, copied the mac address to the router and now is trying to just plug into the network directly instead of thru the router.

Or, it could be a malicious hacker trying to obtain access to your network.

If you go into the router, status, active leases, do you see this mac address with an assigned IP address?

If so, you can turn off devices on the network until you cannot ping the device any more.

As mentioned above, it looks like this may be an HP Laptop, or HP device of some sort.

I"d start by looking up active leases with that mac address, ping that ip address and then shutdown anything saying HP on the network until the ping fails.

0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
coredatarecovery:
I have full access to the SonicWall TZ170. Also we have a domain controller with DHCP/DNS services. I will look for active leases on Monday in the DHCP settings to see if any MAC addr match the one specified by the firewall.
We have a lot of HP devices on the network, and I don't know if it would be be feasible to start turning devices off. Also, I don't think we have anyone with enough expertise to even know what a MAC address is. I am sure its something as simple as a machine or a NIC on a machine that was unable to obtain an IP from DHCP server.

In this entry below, the "destination" address is a domain controller & DHCP/DNS Server at our corporate office. All sites are setup using site-to-site VPN.

Time: 05/08/2009 16:43:24
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 3422, LAN
Destination: 10.81.2.1, 139, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9
====================================================
In the entry below, the "destination" address is a Local DC/DHCP/DNS Server:
Time: 05/08/2009 16:37:56
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 137, LAN
Destination: 10.83.1.1, 137, LAN
Notes: MAC address: 00:08:c7:4f:f6:e9
=====================================================

I don't know if these entries say much, but this device is definitely trying to communicate with our servers to request some type of service. Either DHCP or whatever else.
********************************************************************************************
msn-expert:
"even without a managed switch, your router should give you a list of all the devices connected- short name, ip, mac
try snooping around in your routers settings (usually 192.168.1.1) or Please provide us with your router type / make model"

My Firewall/Router is a SonicWall TZ170. I am not that familiar with a SonicWall, so if you perhaps know where this list of devices connected is, that would be helpful. (short name, ip, mac).
********************************************************************************************
SPremeau:
"Second choice would be to get another machine on the same network (ie, configure it to 169.254.99.254 and see if you can talk to it enough to figure out what it is."

Seems to be a good suggestion, I will try it and will report back.
0
 
LVL 10

Expert Comment

by:lanboyo
Comment Utility
It looks like a windows device that failed to get DHCP. It was configured to be on your network at one time because it is currently attempting to hit domain resources.

I don't know if you can remotely reload the switch, but if you did this out of hours it would make the pc attempt to get a new IP when it saw the interface go up and down.  Of course if it failed to get dhcp once it may do so again.
0
 
LVL 12

Expert Comment

by:coredatarecovery
Comment Utility
You can't talk on the 169.x.x.x network usually because the netmask is usually 0.0.0.0 or point to point.
0
 
LVL 31

Assisted Solution

by:moorhouselondon
moorhouselondon earned 50 total points
Comment Utility
Port 137 and 139 are mentioned in your diagnostic.  These are to do with Netbios service, which I think indicates you are probably looking for a pc rather than any other kind of device.  
0
 
LVL 12

Expert Comment

by:coredatarecovery
Comment Utility
I agree, those two ports are normally associated with windows. I would, from the MAC Address guess it's a printer not obtaining an IP address with DHCP or other methods.

HP Does not make most of the chipsets used in their desktop and laptop units, they use broadcomm or other people's chips. So, the fact it says in the mac address code "I'm an HP" means it is likely a jetdirect card, or a inkjet printer.

I'd turn off all the HP printers and see if you get any more of these messages.
0
 
LVL 10

Expert Comment

by:lanboyo
Comment Utility
If you do an arp -a repeatedly on a local file server, does that mac address show up on a 10. Address as well? Could be a second interface.
0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
Tried checking the ARP tables of the local DC/file server/ DHCP/DNS server, and the MAC addr is not one of the items on the list.

I am currently looking into one of the printers I believe a HP Color LaserJet 3600.

Are there any other known ways or any tools out there to search for IP or Host Names based on MAC Address. I have several MAC addresses that I need to find corresponding machines for.
0
 
LVL 12

Expert Comment

by:coredatarecovery
Comment Utility
Usually there is a table on the firewall/router where you can bring up the DHCP assigned devices.
(usually under status)

You then can setup a ping, or try in the case of printers, to login to their web page
http://ipaddressinquestion/

The mac address is listed if the dhcp server is a windows server, it's just further to the right in the DHCP server active leases window.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Author Comment

by:pzozulka
Comment Utility
The problem is that our Firewall/Router does not assign DHCP. We have a Dedicated Windows Server 2003 that is the Primary DHCP server.

I tried goint to http://169.254.99.110, but no luck because we are not on the same subnet, or at least the IP addr in question is not in the range of our subnet, so it says page cannot be displayed because the device is not found. I cannot even begin to ping this address to begin with.

I also checked the Active Leases in Windows Server 2003 DHCP settings. It is not listed on that list either. I will also check to see the  DHCP reservations, but I am not sure if those actually list the MAC addr. But under regular leases it is not listed because our DHCP server would not give out a 169.xx.xx.xx IP address.  I was specifically looking for the MAC addr on the active leases pages but it is not listed their.

Any tools out there anyone is aware of?
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
This is where managed switches come in handy
0
 
LVL 12

Expert Comment

by:coredatarecovery
Comment Utility
I reiterate, you cannot speak to 169.254 except from 169.254.x.x
If you had obtained an IP Address, you'd have better luck viewing and finding the unit.

Hints for finding the printer.
1. It has not obtained an IP Address, so you won't be able to print to it thru the network.
    If all of your printers are working, it must be otherwise attached.
    So, look for printers that have both a network cord attached and a USB/Paralell wire attached.

2. The printer in question may be trying to use bootp instead of DHCP. You may be able to push an IP Address with a bootp protocol program.

3. you may be able to setup the mac address in your dhcp server on windows 2003 as a static IP address assigned by dhcp. This would tell the dhcp server to auto assign a particular IP address to this device.
This may fix the problem of assigning an ip address.

4 If you can get the device to accept an ip address, you can then run a continuious ping when network traffic is low and look for the flashing number on the switch. Kind of a crude solution, but it will work.

0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
"3. you may be able to setup the mac address in your dhcp server on windows 2003 as a static IP address assigned by dhcp. This would tell the dhcp server to auto assign a particular IP address to this device.
This may fix the problem of assigning an ip address."


I really like this solution. I have the MAC so I'm going to try to setup a DHCP reservation to a static IP within our subnet range. Nice Idea.
==========================================================
"I reiterate, you cannot speak to 169.254 except from 169.254.x.x"

If I do setup another machine on the network with the 169.xx.xx.xx static ip programmed into it, what subnet mask do I need to use and what gateway should I assign in order to communicate with that machine?
0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
Also, just to respond about the printers. I went to all the network enabled HP printers in the company (5 printers), and printed out the TEST page. All the MAC addresses were different than the one in question here.
0
 
LVL 12

Expert Comment

by:coredatarecovery
Comment Utility
do you have a jet direct device plugged in (A little blue box or white box) somewhere connected to a non hp printer?

What HP Equipment do you have in the building that is NOT a printer?
(The mac address definitely belongs to HP.)
The Device, whatever it is should have a sticker on it with it's mac address (Unless it's a PC)

Do you have any plotters?


no gateway is possible, as it won't route to that subnet it's not a routeable address.

You could speak to the broadcast address for the 169.254.x.x address, what is the subnet mask?
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
Related question which explores the Netbios avenue I mentioned earlier:-

http://www.experts-exchange.com/Networking/Misc/Q_21226118.html


What happens if you *temporarily* enable Netbios support in the Sonicwall?  Warning: I would recommend removing the WAN connection from the SonicWall before doing this!

http://www.sonicwall.com/downloads/Network_Browsing_with_IP_Helper_NetBIOS_Relay.pdf
0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
coredatarecovery: We have many HP notebooks in the office as sales people come and go with them. The only Jet Direct devices we have are inside the HP printers, but as I mentioned earlier, none of the HP printers tested positive for the MAC address in question.

"You could speak to the broadcast address for the 169.254.x.x address, what is the subnet mask?"

I'm not sure what you mean by that? Our subnet mask is 255.255.0.0. Our broadcast address is 10.83.255.255. If I understand you correctly, there is absolutely no way to communicate with that machine right? If wrong, please explain what steps are needed to take to config a machine to talk to 169.254.x.x.

moorhouselondon: "What happens if you *temporarily* enable Netbios support in the Sonicwall?  Warning: I would recommend removing the WAN connection from the SonicWall before doing this!"

The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client requests.

Does this really apply to our environment? IP Helper is primarily used in environments where a DHCP server is not available. We on the other hand do have a DHCP Server available.
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
What is being used as your DHCP server?
0
 
LVL 12

Expert Comment

by:coredatarecovery
Comment Utility
You could check the wired internet port mac addresses for each laptop. I suspect that you will find that it could be an older laptop in the group. Most of the new ones don't have network chips manufactured by HP, they use broadcomm, intel, or realtek.

This MAC address is definately some HP device, Unfortunately, I am unable to find a breakdown or a database online where I can lookup  HP's MAC address to identify what device it is.

If it's a hacker, he could be spoofing the IP address as an HP laser printer to throw you off.
(Although I doubt that he would be still online over several weeks without obtaining an IP address)

Check your HP laptops and desktops, if the network card (wired) is not made by HP, It won't have an HP Mac address.
0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
moorhouselondon: Windows Server 2003 R2 x64 is our DHCP server.

coredatarecovery: Thanks for the info, my next step will be to track down all the HP notebooks, they are the older type, and are not always available since they come in and out of the office daily. Will report back.
0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
I think I got the answer, but it doesn't make any sense to me at all. I found the MAC address on one of the network adapters of a really really really old server. Also, our DHCP server.

The MAC address in question in the SonicWall logs is: 00-08-C7-4F-F6-E9

However, that MAC address belongs to a healthy normal IP address, as you can see below.

The 169.254.99.110 belongs to some other MAC address that I have never seen below, a Compaq NIC. In Network Connections, it says "PCI Card". I will try to Disable this Connection and see what happens.

 

Windows IP Configuration
 
 
 

   Host Name . . . . . . . . . . . . : NEWSOM
 

   Primary Dns Suffix  . . . . . . . : bcr.local
 

   Node Type . . . . . . . . . . . . : Hybrid
 

   IP Routing Enabled. . . . . . . . : No
 

   WINS Proxy Enabled. . . . . . . . : No
 

   DNS Suffix Search List. . . . . . : bcr.local
 
 
 

Ethernet adapter Embedded:
 
 
 

   Connection-specific DNS Suffix  . : bcr.local
 

   Description . . . . . . . . . . . : Netelligent 10/100TX PCI Embedded UTP/AUI Controller
 

   Physical Address. . . . . . . . . : 00-08-C7-4F-F6-E9
 

   DHCP Enabled. . . . . . . . . . . : No
 

   IP Address. . . . . . . . . . . . : 10.83.2.1
 

   Subnet Mask . . . . . . . . . . . : 255.255.0.0
 

   Default Gateway . . . . . . . . . : 10.83.1.1
 

   DNS Servers . . . . . . . . . . . : 10.83.2.1
 

                                       10.81.2.1
 

   Primary WINS Server . . . . . . . : 10.83.2.1
 

   Secondary WINS Server . . . . . . : 10.81.2.1
 

                                       10.82.2.1
 

                                       10.81.2.3
 
 
 

Ethernet adapter PCI Card:
 
 
 

   Connection-specific DNS Suffix  . : 
 

   Description . . . . . . . . . . . : Compaq NC3120 Fast Ethernet NIC
 

   Physical Address. . . . . . . . . : 00-08-C7-E9-A5-BF
 

   DHCP Enabled. . . . . . . . . . . : Yes
 

   Autoconfiguration Enabled . . . . : Yes
 

   Autoconfiguration IP Address. . . : 169.254.99.110
 

   Subnet Mask . . . . . . . . . . . : 255.255.0.0
 

   Default Gateway . . . . . . . . . : 

Open in new window

0
 
LVL 10

Assisted Solution

by:lanboyo
lanboyo earned 200 total points
Comment Utility
Okay, this server has a process that bound to the adaptor that is not in use. Disable it and reboot.

This was what I was hinting about poking around in the arp tables for.

The interface on your network allows the server to send the data to approptiate windows servers in ad roles and such, but the process bound to the unused adaptor still sends it with the ip of the non-disabled interface. As it is not on the network there is no way it could be pinged.... It uses the mac of the actual sending interface.
0
 
LVL 12

Expert Comment

by:coredatarecovery
Comment Utility
Was the really old server an HP?
0
 
LVL 8

Author Comment

by:pzozulka
Comment Utility
It was an HP.

Thanks all for helping. Will try to distribute the points as evenly as possible, since there are over 29 posts.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now