Find Mac or IP address of device in remote switch

Unanswered Question
Feb 19th, 2010


We have a switch in a remote site and have identified that int fast 0/5 is up but we think the device at the other end has been configure with the wroing address or something.  When we do a sh mac-add or sh arp we can identify the mac address and IP's in the tables, but nothig for this device, is there anything else we can do to see what IP it may of have or mac address?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Dorrell Fri, 02/19/2010 - 02:53

You can use show mac-address int F0/5 to find out if the attached device is generating any frames, and to find its MAC address.  However, the ARP table of the switch will not tell you anything unless it is a layer 3 switch that the attached device is using as a gateway.

Be aware also that a PC in standby will show the port as being up, but not generate any frames.  If you really want to catch the MAC address but the PC is used only occasionally, then enable port-security on the port and make it sticky.

If the device has a wrongly configured IP address, one way to find it would be an RSPAN.

Kevin Dorrell


Andy White Fri, 02/19/2010 - 03:24

What is RSPAN?

I did think about spanning a port to a server at that site and using wireshark?

cristip Fri, 02/19/2010 - 04:12

The device will not appear in the arp table if the TCP/IP stack is not configured.

First of all he should have a look at the interface counters to see if there is any traffic.

More complicated methods involve RSPAN or other forms of sniffing.

Andy White Fri, 02/19/2010 - 05:18

i did clear the counters a couple of hours ago and this is what it shows:

Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
   0 packets input, 0 bytes, 0 no buffer
   Received 0 broadcasts (0 multicast)
   0 runts, 0 giants, 0 throttles
   0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
   0 watchdog, 0 multicast, 0 pause input
   0 input packets with dribble condition detected
   10996 packets output, 840289 bytes, 0 underruns
   0 output errors, 0 collisions, 2 interface resets
   0 babbles, 0 late collision, 0 deferred
   0 lost carrier, 0 no carrier, 0 PAUSE output
   0 output buffer failures, 0 output buffers swapped out

Kevin Dorrell Fri, 02/19/2010 - 05:35


So it looks like whatever it is, it is sleeping.  Your best bet would be either to ask someone on the remote site, or to put sticky port-security on the port to try and capture the MAC address.  The prefix of the MAC address could give you some clues.

Kevin Dorrell


cristip Fri, 02/19/2010 - 06:27

I wouldn't say it is sleeping. There is some traffic going out.

However if you want to wake up the network card you can just disable(shutdown) and later enable (no shutdown) the port. If the workstation is configured for DHCP most probably it will try to get an IP again.

Kevin Dorrell Fri, 02/19/2010 - 07:12

I would still say it is sleeping.  A PC in standby will make the link "up", but will not generate any traffic.  The output packets are just the background noise - broadcasts etc. - on the VLAN, plus link frames from the switch.  It does not mean the device is actually listening to them.

If it is a PC in standby, then shut and no shut will not wake it up.  You would need a WoL magic packet for that.

Kevin Dorrell


cristip Fri, 02/19/2010 - 07:57

In that case would the sleeping computer need to send out packets? It may need but would those be with or without a MAC Src Address ?

How does the switch know that it has connection on that port? Does it know it via L1 or L2?

However the shut/no shut method worked for me many times.


This Discussion