{"id":777,"date":"2009-04-08T09:42:05","date_gmt":"2009-04-08T13:42:05","guid":{"rendered":"http:\/\/www.schollnick.net\/wordpress\/?p=777"},"modified":"2009-04-08T09:42:05","modified_gmt":"2009-04-08T13:42:05","slug":"how-to-identify-a-remote-device","status":"publish","type":"post","link":"http:\/\/www.schollnick.net\/wordpress\/2009\/04\/how-to-identify-a-remote-device\/","title":{"rendered":"How to identify a remote device…"},"content":{"rendered":"

So, assume you have some unknown device hanging off your network. How you came to know about it irrelevant. Maybe you noticed some unusual protocols or traffic volume, maybe you suddenly lost connectivity to an entire segment. The next step is finding out what the device is. Is it a regular PC? Some sort of server? A switch, or perhaps a router?<\/p>\n

Who made it?<\/p>\n

One of the first – and easiest – things to find out about a device is who made it. All you need for this is the MAC address (or at least its IP address, for starters), which you can then check against the IEEE’s Organization Unique Identifier listings at http:\/\/standards.ieee.org\/regauth\/oui\/index.shtml.<\/a> If you only have the IP address, you can easily obtain its MAC address. Provided you’re currently on the same switched LAN and VLAN as your target device, all you need to do is create some traffic between yourself and your target. A simple ping will suffice. Then, retrieve the MAC address corresponding to its IP from your system’s ARP cache.<\/p>\n

C:\\> ping -n 1 192.168.10.16
\nPinging 192.168.10.16 with 32 bytes of data:<\/p>\n

Reply from 192.168.10.16: bytes=32 time=4ms TTL=64<\/p>\n

Ping statistics for 192.168.10.16:
\nPackets: Sent = 1, Received = 1, Lost = 0 (0% loss),
\nApproximate round trip times in milli-seconds:
\nMinimum = 4ms, Maximum = 4ms, Average = 4ms<\/p>\n

C:\\> arp -a 192.168.10.16<\/p>\n

Interface: 192.168.4.2 — 0x2
\nInternet Address\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Physical Address\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Type
\n192.168.10.16\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 00-0c-41-45-a9-d6\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 dynamic<\/p>\n

For a Macintosh, the ARP command would be:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 arp 192.168.10.16\u00c2\u00a0\u00c2\u00a0 (no -a<\/strong> flag<\/strong>)<\/p>\n

Now head over to http:\/\/standards.ieee.org\/regauth\/oui\/index.shtml.<\/a> The first three segments of the mac address identify the hardware manufacturers identity…\u00c2\u00a0 For example, 00-30-48 is manufactured by Sun Micro Computer…\u00c2\u00a0 The 00-0c-41 is made by “Cisco-Linksys”.\u00c2\u00a0 If the Mac address starts with “00-50”, it is an IAB, otherwise it is an OUI.<\/p>\n

What is an OUI?\u00c2\u00a0 It is an Organization Unique Identifier, in otherwords, it identifies what manufacturer made the product.\u00c2\u00a0 An IAB, is similar but has a small block for unique IDs…<\/p>\n

Once you have the manufacturer, it should be easier to be able to identify the mysterious hardware….<\/p>\n","protected":false},"excerpt":{"rendered":"