Scribd
Upload
120 views

Finding An IP Address With Wireshark Using ARP Requests: Generate ARP Traffic Upon Startup

Using Wireshark, there are two main ways to discover the IP address of an unknown host on a network: 1. Analyze ARP requests generated by the host when it comes online by filtering for ARP traffic in Wireshark and inspecting the sender IP and MAC addresses. 2. Capture DHCP traffic by filtering for UDP port 67 and inspecting the DHCP options, such as the requested IP address, which will usually match the address assigned to the host. These methods allow identification of the IP address of devices even if they have static addresses by analyzing the network protocols used for address resolution and allocation.

Uploaded by

Nguyen Bui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
120 views

Finding An IP Address With Wireshark Using ARP Requests: Generate ARP Traffic Upon Startup

Using Wireshark, there are two main ways to discover the IP address of an unknown host on a network: 1. Analyze ARP requests generated by the host when it comes online by filtering for ARP traffic in Wireshark and inspecting the sender IP and MAC addresses. 2. Capture DHCP traffic by filtering for UDP port 67 and inspecting the DHCP options, such as the requested IP address, which will usually match the address assigned to the host. These methods allow identification of the IP address of devices even if they have static addresses by analyzing the network protocols used for address resolution and allocation.

Uploaded by

Nguyen Bui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Finding an IP address with Wireshark using ARP

requests
Address Resolution Protocol (ARP) requests can be used by Wireshark
to get the IP address of an unknown host on your network. ARP is a
broadcast request that’s meant to help the client machine map out the
entire host network.

ARP is slightly more foolproof than using a DHCP request – which I’ll
cover below – because even hosts with a static IP address will
generate ARP traffic upon startup.

To pull an IP address of an unknown host via ARP, start Wireshark and


begin a session with the Wireshark capture filter set to arp, as shown
above.

Then wait for the unknown host to come online. I’m using my cell phone
and toggling the WiFi connection on and off. Regardless, when an
unknown host comes online it will generate one or more ARP requests.
Those are the frames you should look for.

Once you’ve spotted the request, click on it. Use Wireshark’s Packet


details view to analyze the frame. Look at the Address resolution
protocol section of the frame, especially the Sender IP
address and Sender MAC address.

In this case, you can see my phone received an IP address of


192.168.1.182 from the router, and you can identify the device as an
Apple phone by looking at the vendor OUI.

Wireshark IP address puller using DHCP requests


Another easy way to determine the IP address of an unknown host on
your network is to use DHCP traffic. This method only works if the host
requests an IP address.

If you’re dealing with a situation where someone has put a malicious


physical network device on your corporate network; this method isn’t
recommended – they’ve likely set a static address. But for normal use, it
works just as well as ARP.
To capture DHCP traffic, I like to start a new session with no capture
filter and set the Wireshark display filter to udp.port==67 as shown
above. Then wait for the unknown host to come online and request an IP
address from your DHCP server.

You can also force every host on your network to request a new IP
address by setting the lease time to an hour or two and capturing
network traffic. In this case, you’d want to browse through hostnames
until you find the target client.

Note that the frame I captured has a source IP address of 0.0.0.0. This is
normal until the host is assigned a valid IP address by the DHCP server.

Click on the captured frame, and look at the Packet details view.


Browse until you’ve found the entry for Bootstrap protocol and click the
arrow to expand it.
Scroll through the list of options until you find the Requested IP
address, which shows what the DHCP server has attempted to assign.
In just about every case this correlates to the IP address of the host
machine, despite the fact it’s phrased as a request.

You can also find a handful of other useful options like the IP address
lease time and Host name of the unknown client requesting an
address.

Getting the IP address of an unknown host with


Wireshark
Those two methods are sure-fire ways to find the IP address of an
unknown host. Depending on your network, there may be others. For
instance, sending out a broadcast ping will work in some situations when
you share a collision domain with the host. But especially for home
networking, where all devices are more or less directly connected to a
switch, analyzing ARP and DHCP requests are the best choices for
discovering an IP address.

Link:

https://www.comparitech.com/net-admin/wireshark-ip-address-unknown-host/

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy