Identifying physical device with just an IP


I'm trying to find a physical device on my client's network; all I have is its IP address
It keeps regularly dropping off

The MAC address (f4-f2-6d-00-a8-6d) apparently corresponds to a TP-Link device
A port scan revealed the following open ports : 135, 139, 445, 8080

I'm not sure how to proceed any further without having to disconnect cables in order to isolate the device
Yann ShukorOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
139 and 445 would seem to indicate an SMB (Microsoft file) server.  You might try running \\, if the machine is a domain member, you should see a list of shares it has. You could also go to \\\c$, if you have admin rights to the machine, you can browse its hard drive.

8080 is likely either a web server, or a proxy  server. Go to http:\\ with a browser, and see what if anything pops up.
If you have managed switches, you could take advantage of their MAC address tables to trace by port(s), So if you decided to disconnect cable(s), at least you would be able to pinpoint the right one before doing it.
JohnBusiness Consultant (Owner)Commented:
Try Advanced IP Scanner ( ; free). Install it and run it. Scan your subnet e.g. .  Let it run. All the devices will show up and in almost all cases the name of the device is shown.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

I guess the better question is are you trying to identify what the device is or are you trying to identify it's location? My answer was location based, whereas the other responses are more based on what the device is.
Yann ShukorOwnerAuthor Commented:
The answer to your question is 'both' since one will lead to the other
That's what I figured. At the end of the day, you'd need to track down the location anyway. I'd work through the switches, but I'd also follow Mal's advice of trying to browse to port 8080 of the device in question. That should let you see a login page of something.

I'm willing to bet whatever IP that device has is conflicting with something else, hence why you see it going on and off the network the way that you do. If you did used arp at varying times, you might sometimes end up with a different MAC resulting.
On any device
arp -a
will show MAC address associated with specific IP address.

If there is a managed switch must have MAC address somewhere.
Check MAC address on switch ports and you will find where device is connected.

You can try to use nmap to discover more details about host (typically can find out details, but it can be against company policy and can be seen as network attack, so check with customer it is possible to perform nmap scan). Otherwise you will have to go from device to device and check IP address/MAC address.
Yann ShukorOwnerAuthor Commented:
web access, ssh/telnet, network share access, and port scan had all been attempted before opening this ticket

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
First suggestions are always simple ideas that have chance to be easy implemented and tested. If first suggestions, simple ideas, are not successful that try something else, harder to implement with less obvious results.

So, I want to make few points:
- when opening ticket why not write what you already tried not to waste time (for either you or others)?
Getting answers about what you already tried is pointless. If I know what you have already tried I would not suggest trying it.
- Specify network equipment that is in use since there can be device specific solution (for example Cisco has Layer 2 Traceroute which could solve you issue, but it is proprietary technology and vendor for devices is unknown).
There can always be some solution for such detection including creating DoS attack on that IP address and simply looking at lights on switch which light has changed blinking rate when attack started. :)
I guess there can be other solutions too...

Which lead us to another point:
-  simply delete question if there are no useful suggestions. But, I guess that lead us back to when opening ticket write what you already tried.

Is the IP address that mystery device is using in use by another device? If so, then I would try to disconnect the known device if possible. That should keep the mystery device online, then you can work on tracking it down.
Yann ShukorOwnerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.