Identifying physical device with just an IP

Hi

I'm trying to find a physical device on my client's network; all I have is its IP address
It keeps regularly dropping off

The MAC address (f4-f2-6d-00-a8-6d) apparently corresponds to a TP-Link device
A port scan revealed the following open ports : 135, 139, 445, 8080

I'm not sure how to proceed any further without having to disconnect cables in order to isolate the device
Yann ShukorOwnerAsked:
Who is Participating?
 
Yann ShukorConnect With a Mentor OwnerAuthor Commented:
web access, ssh/telnet, network share access, and port scan had all been attempted before opening this ticket
0
 
Mal OsborneConnect With a Mentor Alpha GeekCommented:
139 and 445 would seem to indicate an SMB (Microsoft file) server.  You might try running \\xxx.xxx.xxx.xxx, if the machine is a domain member, you should see a list of shares it has. You could also go to \\xxx.xxx.xxx.xxx\c$, if you have admin rights to the machine, you can browse its hard drive.

8080 is likely either a web server, or a proxy  server. Go to http:\\xxx.xxx.xxx.xxx:8080 with a browser, and see what if anything pops up.
0
 
masnrockConnect With a Mentor Commented:
If you have managed switches, you could take advantage of their MAC address tables to trace by port(s), So if you decided to disconnect cable(s), at least you would be able to pinpoint the right one before doing it.
1
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
JohnConnect With a Mentor Business Consultant (Owner)Commented:
Try Advanced IP Scanner (famatech.com ; free). Install it and run it. Scan your subnet e.g. 192.168.1.1-192.168.1.255 .  Let it run. All the devices will show up and in almost all cases the name of the device is shown.
1
 
masnrockCommented:
I guess the better question is are you trying to identify what the device is or are you trying to identify it's location? My answer was location based, whereas the other responses are more based on what the device is.
0
 
Yann ShukorOwnerAuthor Commented:
The answer to your question is 'both' since one will lead to the other
0
 
masnrockCommented:
That's what I figured. At the end of the day, you'd need to track down the location anyway. I'd work through the switches, but I'd also follow Mal's advice of trying to browse to port 8080 of the device in question. That should let you see a login page of something.

I'm willing to bet whatever IP that device has is conflicting with something else, hence why you see it going on and off the network the way that you do. If you did used arp at varying times, you might sometimes end up with a different MAC resulting.
0
 
JustInCaseConnect With a Mentor Commented:
On any device
arp -a
will show MAC address associated with specific IP address.

If there is a managed switch must have MAC address somewhere.
Check MAC address on switch ports and you will find where device is connected.

You can try to use nmap to discover more details about host (typically can find out details, but it can be against company policy and can be seen as network attack, so check with customer it is possible to perform nmap scan). Otherwise you will have to go from device to device and check IP address/MAC address.
0
 
JustInCaseCommented:
First suggestions are always simple ideas that have chance to be easy implemented and tested. If first suggestions, simple ideas, are not successful that try something else, harder to implement with less obvious results.

So, I want to make few points:
- when opening ticket why not write what you already tried not to waste time (for either you or others)?
Getting answers about what you already tried is pointless. If I know what you have already tried I would not suggest trying it.
- Specify network equipment that is in use since there can be device specific solution (for example Cisco has Layer 2 Traceroute which could solve you issue, but it is proprietary technology and vendor for devices is unknown).
There can always be some solution for such detection including creating DoS attack on that IP address and simply looking at lights on switch which light has changed blinking rate when attack started. :)
I guess there can be other solutions too...

Which lead us to another point:
-  simply delete question if there are no useful suggestions. But, I guess that lead us back to when opening ticket write what you already tried.

:)
0
 
masnrockCommented:
Is the IP address that mystery device is using in use by another device? If so, then I would try to disconnect the known device if possible. That should keep the mystery device online, then you can work on tracking it down.
0
 
Yann ShukorOwnerAuthor Commented:
.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.