• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2545
  • Last Modified:

Find Machine/IP address from MAC address

Unfortunately I do not have a managed switch, so I cannot find the IP from a MAC address that way. I do however have a SonicWall Firewall and an IP scanner at my disposal.

Here is the problem. I am getting these messages from my SonicWall TZ170.
I need to locate the machine using this IP: 169.24.99.10
OR this MAC Address 00:08:c7:4f:f6:e9

Any help is appreciated.

Time: 05/08/2009 16:51:39
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.24.99.10, 137, LAN
Destination: 10.81.34.9, 137, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:43:24
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 3422, LAN
Destination: 10.81.2.1, 139, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:37:56
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 137, LAN
Destination: 10.83.1.1, 137, LAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:35:28
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 137, LAN
Destination: 10.83.1.1, 137, LAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:31:23
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 3357, LAN
Destination: 10.81.34.21, 139, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:25:12
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 137, LAN
Destination: 10.81.2.20, 137, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9

Time: 05/08/2009 16:22:59
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 3227, LAN
Destination: 10.81.32.5, 139, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9
0
pzozulka
Asked:
pzozulka
  • 11
  • 8
  • 4
  • +4
3 Solutions
 
nhenny2009Commented:
IP addresses starting with 169.254 usually mean DHCP failure
0
 
pzozulkaAuthor Commented:
Yes I know. But my question is I have an IP address starting with 169.xx.xx.xx and I have a MAC address. I need to find the machine that this info belongs to.
0
 
SPremeauCommented:
The mac address is a Hewlett Packard device, depending on your environment, this may narrow down your search.

If you have an IP scanner, you may be able to scan your known range and see if you can hit the mac address on another IP, which may help you find it.

Second choice would be to get another machine on the same network (ie, configure it to 169.254.99.254 and see if you can talk to it enough to figure out what it is.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
msn-expertCommented:
even without a managed switch, your router should give you a list of all the devices connected- short name, ip, mac
try snooping around in your routers settings (usually 192.168.1.1)

or
Please provide us with your router type / make model
0
 
pzozulkaAuthor Commented:
If for the Router you are referring to the Default Gateway, it is a SonicWall TZ170 Firewall. IP = 10.83.1.1
0
 
msn-expertCommented:
If other computers can connect to it, it also is a router.
Try typing 10.83.1.1 in your web browser, that should get you into your settings
0
 
coredatarecoveryCommented:
This could be as innocent as someone who has setup a linksys router, copied the mac address to the router and now is trying to just plug into the network directly instead of thru the router.

Or, it could be a malicious hacker trying to obtain access to your network.

If you go into the router, status, active leases, do you see this mac address with an assigned IP address?

If so, you can turn off devices on the network until you cannot ping the device any more.

As mentioned above, it looks like this may be an HP Laptop, or HP device of some sort.

I"d start by looking up active leases with that mac address, ping that ip address and then shutdown anything saying HP on the network until the ping fails.

0
 
pzozulkaAuthor Commented:
coredatarecovery:
I have full access to the SonicWall TZ170. Also we have a domain controller with DHCP/DNS services. I will look for active leases on Monday in the DHCP settings to see if any MAC addr match the one specified by the firewall.
We have a lot of HP devices on the network, and I don't know if it would be be feasible to start turning devices off. Also, I don't think we have anyone with enough expertise to even know what a MAC address is. I am sure its something as simple as a machine or a NIC on a machine that was unable to obtain an IP from DHCP server.

In this entry below, the "destination" address is a domain controller & DHCP/DNS Server at our corporate office. All sites are setup using site-to-site VPN.

Time: 05/08/2009 16:43:24
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 3422, LAN
Destination: 10.81.2.1, 139, WAN
Notes: MAC address: 00:08:c7:4f:f6:e9
====================================================
In the entry below, the "destination" address is a Local DC/DHCP/DNS Server:
Time: 05/08/2009 16:37:56
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.110, 137, LAN
Destination: 10.83.1.1, 137, LAN
Notes: MAC address: 00:08:c7:4f:f6:e9
=====================================================

I don't know if these entries say much, but this device is definitely trying to communicate with our servers to request some type of service. Either DHCP or whatever else.
********************************************************************************************
msn-expert:
"even without a managed switch, your router should give you a list of all the devices connected- short name, ip, mac
try snooping around in your routers settings (usually 192.168.1.1) or Please provide us with your router type / make model"

My Firewall/Router is a SonicWall TZ170. I am not that familiar with a SonicWall, so if you perhaps know where this list of devices connected is, that would be helpful. (short name, ip, mac).
********************************************************************************************
SPremeau:
"Second choice would be to get another machine on the same network (ie, configure it to 169.254.99.254 and see if you can talk to it enough to figure out what it is."

Seems to be a good suggestion, I will try it and will report back.
0
 
lanboyoCommented:
It looks like a windows device that failed to get DHCP. It was configured to be on your network at one time because it is currently attempting to hit domain resources.

I don't know if you can remotely reload the switch, but if you did this out of hours it would make the pc attempt to get a new IP when it saw the interface go up and down.  Of course if it failed to get dhcp once it may do so again.
0
 
coredatarecoveryCommented:
You can't talk on the 169.x.x.x network usually because the netmask is usually 0.0.0.0 or point to point.
0
 
moorhouselondonCommented:
Port 137 and 139 are mentioned in your diagnostic.  These are to do with Netbios service, which I think indicates you are probably looking for a pc rather than any other kind of device.  
0
 
coredatarecoveryCommented:
I agree, those two ports are normally associated with windows. I would, from the MAC Address guess it's a printer not obtaining an IP address with DHCP or other methods.

HP Does not make most of the chipsets used in their desktop and laptop units, they use broadcomm or other people's chips. So, the fact it says in the mac address code "I'm an HP" means it is likely a jetdirect card, or a inkjet printer.

I'd turn off all the HP printers and see if you get any more of these messages.
0
 
lanboyoCommented:
If you do an arp -a repeatedly on a local file server, does that mac address show up on a 10. Address as well? Could be a second interface.
0
 
pzozulkaAuthor Commented:
Tried checking the ARP tables of the local DC/file server/ DHCP/DNS server, and the MAC addr is not one of the items on the list.

I am currently looking into one of the printers I believe a HP Color LaserJet 3600.

Are there any other known ways or any tools out there to search for IP or Host Names based on MAC Address. I have several MAC addresses that I need to find corresponding machines for.
0
 
coredatarecoveryCommented:
Usually there is a table on the firewall/router where you can bring up the DHCP assigned devices.
(usually under status)

You then can setup a ping, or try in the case of printers, to login to their web page
http://ipaddressinquestion/

The mac address is listed if the dhcp server is a windows server, it's just further to the right in the DHCP server active leases window.
0
 
pzozulkaAuthor Commented:
The problem is that our Firewall/Router does not assign DHCP. We have a Dedicated Windows Server 2003 that is the Primary DHCP server.

I tried goint to http://169.254.99.110, but no luck because we are not on the same subnet, or at least the IP addr in question is not in the range of our subnet, so it says page cannot be displayed because the device is not found. I cannot even begin to ping this address to begin with.

I also checked the Active Leases in Windows Server 2003 DHCP settings. It is not listed on that list either. I will also check to see the  DHCP reservations, but I am not sure if those actually list the MAC addr. But under regular leases it is not listed because our DHCP server would not give out a 169.xx.xx.xx IP address.  I was specifically looking for the MAC addr on the active leases pages but it is not listed their.

Any tools out there anyone is aware of?
0
 
moorhouselondonCommented:
This is where managed switches come in handy
0
 
coredatarecoveryCommented:
I reiterate, you cannot speak to 169.254 except from 169.254.x.x
If you had obtained an IP Address, you'd have better luck viewing and finding the unit.

Hints for finding the printer.
1. It has not obtained an IP Address, so you won't be able to print to it thru the network.
    If all of your printers are working, it must be otherwise attached.
    So, look for printers that have both a network cord attached and a USB/Paralell wire attached.

2. The printer in question may be trying to use bootp instead of DHCP. You may be able to push an IP Address with a bootp protocol program.

3. you may be able to setup the mac address in your dhcp server on windows 2003 as a static IP address assigned by dhcp. This would tell the dhcp server to auto assign a particular IP address to this device.
This may fix the problem of assigning an ip address.

4 If you can get the device to accept an ip address, you can then run a continuious ping when network traffic is low and look for the flashing number on the switch. Kind of a crude solution, but it will work.

0
 
pzozulkaAuthor Commented:
"3. you may be able to setup the mac address in your dhcp server on windows 2003 as a static IP address assigned by dhcp. This would tell the dhcp server to auto assign a particular IP address to this device.
This may fix the problem of assigning an ip address."


I really like this solution. I have the MAC so I'm going to try to setup a DHCP reservation to a static IP within our subnet range. Nice Idea.
==========================================================
"I reiterate, you cannot speak to 169.254 except from 169.254.x.x"

If I do setup another machine on the network with the 169.xx.xx.xx static ip programmed into it, what subnet mask do I need to use and what gateway should I assign in order to communicate with that machine?
0
 
pzozulkaAuthor Commented:
Also, just to respond about the printers. I went to all the network enabled HP printers in the company (5 printers), and printed out the TEST page. All the MAC addresses were different than the one in question here.
0
 
coredatarecoveryCommented:
do you have a jet direct device plugged in (A little blue box or white box) somewhere connected to a non hp printer?

What HP Equipment do you have in the building that is NOT a printer?
(The mac address definitely belongs to HP.)
The Device, whatever it is should have a sticker on it with it's mac address (Unless it's a PC)

Do you have any plotters?


no gateway is possible, as it won't route to that subnet it's not a routeable address.

You could speak to the broadcast address for the 169.254.x.x address, what is the subnet mask?
0
 
moorhouselondonCommented:
Related question which explores the Netbios avenue I mentioned earlier:-

http://www.experts-exchange.com/Networking/Misc/Q_21226118.html


What happens if you *temporarily* enable Netbios support in the Sonicwall?  Warning: I would recommend removing the WAN connection from the SonicWall before doing this!

http://www.sonicwall.com/downloads/Network_Browsing_with_IP_Helper_NetBIOS_Relay.pdf
0
 
pzozulkaAuthor Commented:
coredatarecovery: We have many HP notebooks in the office as sales people come and go with them. The only Jet Direct devices we have are inside the HP printers, but as I mentioned earlier, none of the HP printers tested positive for the MAC address in question.

"You could speak to the broadcast address for the 169.254.x.x address, what is the subnet mask?"

I'm not sure what you mean by that? Our subnet mask is 255.255.0.0. Our broadcast address is 10.83.255.255. If I understand you correctly, there is absolutely no way to communicate with that machine right? If wrong, please explain what steps are needed to take to config a machine to talk to 169.254.x.x.

moorhouselondon: "What happens if you *temporarily* enable Netbios support in the Sonicwall?  Warning: I would recommend removing the WAN connection from the SonicWall before doing this!"

The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client requests.

Does this really apply to our environment? IP Helper is primarily used in environments where a DHCP server is not available. We on the other hand do have a DHCP Server available.
0
 
moorhouselondonCommented:
What is being used as your DHCP server?
0
 
coredatarecoveryCommented:
You could check the wired internet port mac addresses for each laptop. I suspect that you will find that it could be an older laptop in the group. Most of the new ones don't have network chips manufactured by HP, they use broadcomm, intel, or realtek.

This MAC address is definately some HP device, Unfortunately, I am unable to find a breakdown or a database online where I can lookup  HP's MAC address to identify what device it is.

If it's a hacker, he could be spoofing the IP address as an HP laser printer to throw you off.
(Although I doubt that he would be still online over several weeks without obtaining an IP address)

Check your HP laptops and desktops, if the network card (wired) is not made by HP, It won't have an HP Mac address.
0
 
pzozulkaAuthor Commented:
moorhouselondon: Windows Server 2003 R2 x64 is our DHCP server.

coredatarecovery: Thanks for the info, my next step will be to track down all the HP notebooks, they are the older type, and are not always available since they come in and out of the office daily. Will report back.
0
 
pzozulkaAuthor Commented:
I think I got the answer, but it doesn't make any sense to me at all. I found the MAC address on one of the network adapters of a really really really old server. Also, our DHCP server.

The MAC address in question in the SonicWall logs is: 00-08-C7-4F-F6-E9

However, that MAC address belongs to a healthy normal IP address, as you can see below.

The 169.254.99.110 belongs to some other MAC address that I have never seen below, a Compaq NIC. In Network Connections, it says "PCI Card". I will try to Disable this Connection and see what happens.

 
Windows IP Configuration
 
 
 
   Host Name . . . . . . . . . . . . : NEWSOM
 
   Primary Dns Suffix  . . . . . . . : bcr.local
 
   Node Type . . . . . . . . . . . . : Hybrid
 
   IP Routing Enabled. . . . . . . . : No
 
   WINS Proxy Enabled. . . . . . . . : No
 
   DNS Suffix Search List. . . . . . : bcr.local
 
 
 
Ethernet adapter Embedded:
 
 
 
   Connection-specific DNS Suffix  . : bcr.local
 
   Description . . . . . . . . . . . : Netelligent 10/100TX PCI Embedded UTP/AUI Controller
 
   Physical Address. . . . . . . . . : 00-08-C7-4F-F6-E9
 
   DHCP Enabled. . . . . . . . . . . : No
 
   IP Address. . . . . . . . . . . . : 10.83.2.1
 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
 
   Default Gateway . . . . . . . . . : 10.83.1.1
 
   DNS Servers . . . . . . . . . . . : 10.83.2.1
 
                                       10.81.2.1
 
   Primary WINS Server . . . . . . . : 10.83.2.1
 
   Secondary WINS Server . . . . . . : 10.81.2.1
 
                                       10.82.2.1
 
                                       10.81.2.3
 
 
 
Ethernet adapter PCI Card:
 
 
 
   Connection-specific DNS Suffix  . : 
 
   Description . . . . . . . . . . . : Compaq NC3120 Fast Ethernet NIC
 
   Physical Address. . . . . . . . . : 00-08-C7-E9-A5-BF
 
   DHCP Enabled. . . . . . . . . . . : Yes
 
   Autoconfiguration Enabled . . . . : Yes
 
   Autoconfiguration IP Address. . . : 169.254.99.110
 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
 
   Default Gateway . . . . . . . . . : 

Open in new window

0
 
lanboyoCommented:
Okay, this server has a process that bound to the adaptor that is not in use. Disable it and reboot.

This was what I was hinting about poking around in the arp tables for.

The interface on your network allows the server to send the data to approptiate windows servers in ad roles and such, but the process bound to the unused adaptor still sends it with the ip of the non-disabled interface. As it is not on the network there is no way it could be pinged.... It uses the mac of the actual sending interface.
0
 
coredatarecoveryCommented:
Was the really old server an HP?
0
 
pzozulkaAuthor Commented:
It was an HP.

Thanks all for helping. Will try to distribute the points as evenly as possible, since there are over 29 posts.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 11
  • 8
  • 4
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now