It’s that time of year when I start poking around our network trying to update the various records that we keep of the various devices on our network. Unfortunately, we do not use any fancy network tools that automatically map our local network service to determine what machines are on the network. However, it’s not difficult to figure out at least a little bit of information and these are useful utilities to be familiar with. Here’s the process:
- Ping an address on your network.
- If you get a response, use the arp utility to find the mac address of the device that responded.
- Paste the first six digits of the mac address into a web page that will help you look up the manufacturer of the network card.
The image below describes the first part of this process on a Windows XP box. The process is similar on Linux or on Mac OS.
- Click on Start>Accessories>Command Prompt. This will bring up a DOS window.
- Once you’re in the command window, use ping to probe the address of interest: “ping xxx.xxx.xxx.xxx”. In the DOS world, this will automatically ping the target four times. If you’re running the command from Linux or from the Mac OS shell, it’s helpful to do “ping -c 4 xxx.xxx.xxx.xxx” to limit ping to four tries. Otherwise, you’ll need to hit Ctrl-C to stop the ping.
- Now that you’ve successfully pinged the host, you can check your arp cache for the mac address of the host. You do this by typing “arp -a”. Look for the address that you just pinged and make a note of the information in the “Physical Address” column. This is the mac address for the device.
The mac address is always presented as six two-digit hexadecimal numbers. In the DOS/Windows world, each pair of digits is separated by a dash. In Linux/OSX land, the pairs are separated by colons. In the example given, the three pairs of digits are “00-12-79”. These digits uniquely identify the manufacturer of the card. Now we need to go look them up.
The authoritative source is here: http://standards.ieee.org/develop/regauth/oui/public.html
As you can see from the screen capture, you need to enter the three pairs of digits with dashes in between them. In this example, we would enter 00-12-79 into the box.
It will search for a bit and then return the results. The image shows that the device was manufactured by Hewlett Packard, which may help us determine that it is an HP printer. Of course, things can get more complicated when you have systems (like Windows) that don’t respond to pings or those situations where the network card manufacturer is not the manufacturer of the device itself. For those situations, you may want to try out the fabulous nmap to help you sort out what or who is on your network.