First we need to see if we can find the device by listing the arp table. This can be done several ways;
On Windows arp -a will list all addresses available however it’s much more efficient to do it from your networking device.
Windows 7, 8, 10 / Server 2008, 2012
This will list all the existing arp entries
You can also remove all the entries simply via
c:\Windows\system32\arp -a -d
Sophos / Astaro UTM Firewall
In this case a Sophos UTM logging in via shell (enable under the web gui, management, system) and logging in.
With the Sophos you need to use ssh [email protected] and then elevate to root via sudo su.
ssh [email protected] sudo su
Once you have logged in simply run the arp command to list existing entries, however I prefer to use the apr -n command as to not wait for the hostname. If you know the type of device or it’s MAC address you can use grep to filter the results. In this case I know the MAC address from the printers web interface, however if you know the particular manufacturer you can enter the first few bytes and you can find all devices made by HP, Brother, etc.
# arp -n | grep 10.0.2.90 10.0.2.90 ether b0:e8:92:f9:c7:13 C eth0
You can the use one of the many available online converters to find the manufacture of the device. http://www.coffer.com/mac_find/ On the above we know that a starting MAC of B0:E8:92 – is SEIKO EPSON CORPORATION, so for example if we wanted to search for all devices in our ARP cache we code run the same command above but grep the MAC address instead of the IP like so
#arp -n | grep b0:e8:92
This would return all the Epson devices in our network. Try various vendors in your network to test it out.
If we don’t know the ip address or starting MAC address of the manufacture we can also use nmap or nmap -O to try and determine the operating system or manufacture of the device(s) in the address block.
nmap -v -sO 10.0.2.0/24
Another option is to look for all the arp calls via tcpdump, another cross platform tool but is native to the *nix serious of O/S and devices. Keep in mind you will need to know one of the following, the IP address of the device, an IP address of a system you can control to ping or send requests to the device or the MAC address (or part of it) of the device or it’s manufacture. Once again here it’s best to use grep to filter the results.
This command can also be modified depending on the information you have, before starting this process I recommend clearing your arp cache or arp table as above so when you ping or start the device it will send out an arp request to the firewall asking who has it. You can also do this by rebooting the device and clearing the arp on the firewall before powering it back on.
If you know the IP address of the device or system you are pinging or tracert from specify that in the grep here:
# tcpdump -v arp | grep 10.0.2.90
14:38:46.872897 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has example-epson (b0:e8:92:f9:c7:13 (oui Unknown)) tell 10.0.2.1, length 46 14:38:46.872905 ARP, Ethernet (len 6), IPv4 (len 4), Reply example-epson is-at b0:e8:92:f9:c7:13 (oui Unknown), length 28
If you only know the manufacture use grep here to filter all requests (if on firewall or switch)
# tcpdump -v arp | grep b0:e8:92
It’s also possible to use promiscuous mode on your NIC on a security distro if you have the correct equipment and setup, but we won’t get into that for today on this article.
Windows other tools
If you’re trying to find a particular process causing issues or communicating with you’re above device I think you will find the following two commands helpful as well. While there are many third party tools you can use, I prefer using built in system commands as much as possible.
For Example if you needed to find a process that was communicating with your device you can use netstat to list all the processes, simply note their process ID and via tasklist you can then find the process ID of the offending service.
> netstat -anon | more > tasklist | more
I’m using the | more option above but if you wanted to write it into a text document (for searching or reference) simply send the output to the file by using the following:
> netstat -anon > c:\temp\myfile.txt > tasklist >> c:\temp\myfile.txt
If you would like to make the above process more graphical, the only tool (free) I can recommend for Windows is System Internals Process Explorer.
Good Luck and feel free to leave me a comment.