Home > Networking, Security > Some tips to find rogue devices on your network

Some tips to find rogue devices on your network

Any unknown entity on your network is bad, this is especially true for rogue devices. There are a variety of ways to protect your network from rogue devices, but honestly most small and medium businesses don’t have the resources to do this.  If you’re a network person with good switches you could track these devices down to a physical switch port fairly easily. However if you have unmanaged switches (yes, they still exist) or don’t know how to follow MAC addresses on a switch you may have to use other methods for your investigation.

To assist in finding rogue devices on your network it is helpful to determine the vendor for a MAC address. First, you will need to know the IP address of the rogue device. Chances are you already know the IP because you know this rogue device exists. Often these devices are found when you try to add an IP to a device on your network and find the IP is already in use.

Once you have the IP a protocol named ARP can be used to determine the MAC address. If your on a Windows machine do the following:

  1. Go to the command prompt.
  2. Ping the rogue device. It doesn’t matter if there are replies, this step gets the MAC address in your ARP table.
  3. Type the following command:  arp -a
    1. Here is a sample output:
      Internet Address      Physical Address      Type             00-03-ff-d1-19-04     dynamic
    2. The MAC address is the Physical Address listed as 00-03-ff-d1-19-04
  4. Take the MAC address and enter it into a tool or website that lets you know the manufacturer. I use this website for my vendor lookups, but there others out there.
    1. Using the sample address from above I got the following vendor info returned:
      Prefix      Vendor
      0003FF   Microsoft Corporation (was: Connectix)
  5. Now that I know the vendor of the network card I have some clues as to what kind of device the rogue element is.
    1. Knowing the vendor is Microsoft narrows down my search, since computers won’t show Microsoft as the vendor.
    2. In this case I can assume it is coming from a Windows Virtual PC, since this is the most likely device on my network to show up with a Microsoft MAC address.
    3. This device is actually a Windows Virtual PC running on my laptop for testing purposes. I used this example specifically because I am seeing more and more rogue virtual machines created by IT staff in various companies.

Using the above method can dramatically cut down the investigation time to find rogue devices. Yes, it is much quicker/easier to track rogue devices through managed switches. However as I mentioned before this is not always a possibility.

  1. Hemant Bhatt
    December 15, 2011 at 02:01

    Thanks for the article!
    Since yesterday a device in our network was taking IP of our gateway which was causing internet disruption. We were able to get the MAC address but had no clue on how to move ahead. Reading your article informed me that we can actually get vendor information from MAC address. Ran this faulty MAC address and it turned out to be a Samsung device.

    Then it was pretty easy to shortscan the smart phones in office.

  2. January 15, 2014 at 20:07

    What’s up, I wish for to subscribe for this web site to obtain hottest updates, thus where can i do it pleaqse help.

  3. April 19, 2014 at 00:48

    Very good article! We are linking to this great content on our
    website. Keep up the good writing.

  4. June 21, 2016 at 13:23

    Hey, You could have done an admirable job. I will absolutely stumbleupon it plus our would suggest for you to my friends.. Changing My IP Address Almost certainly they’ll be benefited from this web site.

  5. Lostincyberspace
    April 6, 2017 at 05:21

    What if I can detect on my home wireless networks an IP that is in the wrong sequence to have been assigned to my router? All I have is the IP. Since it doesn’t talk to my router I don’t know how to get the MAC address. It talks to my computer (which has updates from nearby devices disabled, in case that could cause this). How can I prevent this?

  1. January 17, 2014 at 10:42

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: