We're having a look through our firewall traffic on the Domain, and some unknown IPs keep appearing. Having a look through DNS, DHCP, ping and tracert also provides no insight, as they don't appear to be tied to any specific domain item (server, pc, or otherwise).
It's possible that these IP's may be pointing to some external devices, like a Modem or a Printer, or that they're even used in internal routing.
Is there any way that we can identify what is using this IP?
Let's assume you already know which subnet the addresses belong to (if you have more than one subnet, that is) – that can be easily discovered by checking routing tables.
Learn the device's MAC address (use arp -an, ip neigh, arping... on a PC on the same subnet), and check its prefix against IEEE's OUI table. (There are various "OUI lookup" websites.) While the result isn't always the same as the whole device's manufacturer, it's still fairly common.
Having the same MAC address, connect to one of your 'managed' / 'smart', and search its "MAC table" for the address – you'll find out the switch port that it was last seen on. If that port goes to another managed switch, repeat the process, until there are no more switches that can be asked.
If you still end up with a large piece of network to search (or if the subnet doesn't have any managed switches), and aren't afraid of some downtime, cut the network in half and check which half can still reach the mysterious address. Repeat until found.
arp -a (-an was not recognized on Windows), and it didn't list the address(es) we were searching for. We know the full IP, so we're searching on the right subnet.
arp -a again, which did bring up one of the IPs we were searching for. Traced the MAC address and it was coming from one of the phones (voip). Does the list capture all IPs, or just the ones currently sending/receiving traffic?
ping the mysterious IP though, and the MAC will appear in the cache. Alternatively, using arping actively asks the host.)
Commented
Sep 30, 2016 at 6:49