Tuesday, March 13, 2012

Identifying devices on a switch (Without tracing wires)


You've got a bunch of computers and a bunch of network switches, but for some reason are unable to physically follow the wires connecting the two. For example, the wires could be going through walls or conduits and aren't labelled.


This solution hinges on the fact that your switches are the managed kind. That means they've got a little processing power and some sort of interface you can log in to.


The way we're going to figure out where what computer or service is plugged in to which port on a switch is by using the ARP cache.

First, you'll need the MAC (Physical) Address of the computer you're looking for. Every single device that connects to the internet has its own MAC Address... everything you do online can be tracked to that ID. Apparently we are all beautiful and unique snowflakes.

The quick way, is hopping on that computer and opening the Properties -> Details for the network adapter connected to the switch.

Usually found around Control Panel - Network Connections
OR, by typing:

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : *********
   Primary Dns Suffix  . . . . . . . : ********.lan
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ********.lan

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC326i PCIe Dual Port Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-26-55-7E-0E-69
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :

It's possible you don't have the option to pull up this information on the machine itself. We could be talking about a large office building, where it isn't practical to run floor to floor looking up MAC addresses, computers used by people too busy to be interrupted or devices with LAN ports but lacking a standard operating system.

If you don't have access to the machine, there's another way to find the MAC Address...

Ping the machine you're looking for from another machine on the network. (by IP or name) This gets that machine in to your ARP cache. If it blocks pings, you might have to access it another way... like opening a network share, a website or telnet-ing to an open port.


Pinging with 32 bytes of data:
Reply from bytes=32 time=1ms TTL=128

Next, we check our computer's ARP Cache to find the Physical address of the lost computer.

C:\Windows\System32>arp -a

Interface: --- 0xc
  Internet Address      Physical Address      Type          00-26-55-7e-0e-69     dynamic

Now that we know the address of the computer we're searching for, we have to check our switches. The more switches you have, the longer it could take to find... and this depends on your switches even having the ability to display this information.

Your switches will probably look different from mine... point being, log in.

Now you're looking for the "Address Table". It might be called something else on your switch. ARP Cache, Physical Address List, etc... Look for a table that shows MAC or Physical Addresses:

also, apparently the search feature on this switch IS case sensitive...

The interface shows which port that device is plugged in to. Or, more accurately, it shows what port it's seen that MAC address on... This is where knowing a little about your network layout becomes important, because you could actually find this address on multiple switches.

If I see this:

...but I know that port 23 actually goes to another switch, then obviously I'm in the wrong place, and need to check that switch instead. This is why you might see more devices than you have ports when you look at this table.

It's also possible to legitimately find a single MAC located on multiple switches. If a computer has multiple network cards "TEAMed" (meaning acting as one) it's possible they could show up with the same address. This becomes harder to track down... you might have to:

  1. Break the TEAM
  2. Assign an IP to each card
  3. Ping each IP separately to force them to communicate with their switch
  4. Look up their MACs
  5. Rebuild the TEAM
Obviously, this might not be possible in a production environment... multiple steps here will interrupt network communication to the server. (and don't forget to save the TEAM settings before removing it)

No comments:

Post a Comment