Network Recon – Identifying the Location of Equipment on a Network

Frequently, it will be required to identify where on the network a device or piece of equipment is connected. This type of reconnaissance can usually be accomplished using information gleaned from typical network protocols and applications.

The process consists of tracing the hardware or MAC address for a piece of equipment to the switch port that it is connected to. The MAC address can be determined if the corresponding IP address is known by checking the ARP cache of computer that can communicate with the device. For example, to determine where a device with the IP address of 192.168.1.100 is located, you would first ensure that the MAC address has been learned by a computer on the same IP network to obtain the MAC address.

C:>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:
Reply from 192.168.1.100: bytes=32 time<1ms TTL=255
Reply from 192.168.1.100: bytes=32 time<1ms TTL=255
Reply from 192.168.1.100: bytes=32 time<1ms TTL=255
Reply from 192.168.1.100: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.1.100<
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:>arp -a

Interface: 192.168.1.7 — 0xb
Internet Address      Physical Address      Type
192.168.1.1           c0-ea-e4-ec-2e-5a     dynamic
192.168.1.100         00-50-B6-68-0F-C1     dynamic
192.168.1.255         ff-ff-ff-ff-ff-ff     static
224.0.0.22            01-00-5e-00-00-16     static
224.0.0.251           01-00-5e-00-00-fb     static
224.0.0.252           01-00-5e-00-00-fc     static
239.255.255.250       01-00-5e-7f-ff-fa     static
255.255.255.255       ff-ff-ff-ff-ff-ff     static

Once you learn the MAC address (00-50-B6-68-0F-C1 in the example above), you can check the MAC Address Table of the LAN switch to determine which switch port or interface that MAC address came from. This should indicate a port or interface that equipment is directly connected to. In this example, the device with the MAC address of 00-50-B6-68-0F-C1 is connected to the switch port gi1/0/16.

switch#sh mac address-table
Mac Address Table
——————————————-
Vlan    Mac Address       Type        Ports
—-    ———–       ——–    —–

All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0180.c200.0000    STATIC      CPU
All    0180.c200.0001    STATIC      CPU
All    0180.c200.0002    STATIC      CPU
All    0180.c200.0003    STATIC      CPU
All    0180.c200.0004    STATIC      CPU
All    0180.c200.0005    STATIC      CPU
All    0180.c200.0006    STATIC      CPU
All    0180.c200.0007    STATIC      CPU
All    0180.c200.0008    STATIC      CPU
All    0180.c200.0009    STATIC      CPU
All    0180.c200.000a    STATIC      CPU
All    0180.c200.000b    STATIC      CPU
All    0180.c200.000c    STATIC      CPU
All    0180.c200.000d    STATIC      CPU
All    0180.c200.000e    STATIC      CPU
All    0180.c200.000f    STATIC      CPU
All    0180.c200.0010    STATIC      CPU
All    ffff.ffff.ffff    STATIC      CPU
1    2852.61f9.3d98    DYNAMIC     Gi1/0/1
1    c4b9.cdd6.f030    DYNAMIC     Gi1/0/10
1    0050.B668.0FC1    DYNAMIC     Gi1/0/16
1    0000.7478.d5fc    DYNAMIC     Gi1/0/25
1    0000.aaad.15e6    DYNAMIC     Gi1/0/22
1    0000.aaad.1629    DYNAMIC     Gi1/0/12
1    0000.aaad.1650    DYNAMIC     Gi1/0/46
1    0000.aaad.168c    DYNAMIC     Gi1/0/11
1    0000.aaad.16b4    DYNAMIC     Gi1/0/44
1    0000.aaad.1830    DYNAMIC     Gi1/0/19
1    0000.aaad.2d05    DYNAMIC     Gi1/0/24
1    0000.aae4.a170    DYNAMIC     Gi1/0/24
1    0001.e64f.f534    DYNAMIC     Gi1/0/24
–More–

In larger environments where several switches might be interconnected you may be directed to a port connecting to a different switch.  This is usually indicated by several MAC addresses all being associated with the same switch port.  In the example above several MAC addresses are associated to switch port gi1/0/24.  You could physically trace the cable connected to port gi1/0/24 to the next switch.  Alternatively, you could also use network management protocols, such as the Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) to determine which switch is connected to that port.

switch#show cdp neighbors detail
————————-
Device ID: switch1
Entry address(es):
IP address: 192.168.1.5
Platform: cisco WS-C2960X-48FPD-L,  Capabilities: Switch IGMP
Interface: GigabitEthernet1/0/24,  Port ID (outgoing port): GigabitEthernet1/0/48
Holdtime : 159 sec

Version :
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 21-Feb-14 05:54 by prod_rel_team

advertisement version: 2
Protocol Hello:  OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022501000000000000E0899D2D2280FF0000
VTP Management Domain:
Native VLAN: 1
Duplex: full
Management address(es):
IP address: 192.168.1.5

————————-

In this scenario, you would next log on to the switch (switch1 – 192.168.1.5) connected to port gi1/0/24 of the first switch and repeat the same process of checking the MAC Address Table. Continue this procedure for each subsequent switch until you find the dedicated port where the device directly plugs into and establishes the end-to-end connectivity across the network.

These basic techniques are not only useful in determining where equipment is located on a network, but can also be used to develop a diagram of the logical network topology as part of a discovery process.

Did you find this article helpful? Tell us what other tech tips you would like to see.