Help with unknown device location...

Unanswered Question
Jul 20th, 2010

Can some one help me figure out how to track down this rogue device on the

network. I noticed it in my Kiwi Syslog  server. It shows a hostname of I can ping it, but I cannot seem to locate it. I have tried using Nmap with the following results:

Starting Nmap 5.30BETA1 ( ) at 2010-07-15 09:02 Eastern Daylight Time

NSE: Loaded 117 scripts for scanning.

Initiating Ping Scan at 09:02

Scanning [7 ports]

Completed Ping Scan at 09:02, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:02

Completed Parallel DNS resolution of 1 host. at 09:02, 0.00s elapsed

Initiating SYN Stealth Scan at 09:02

Scanning [1000 ports]

Completed SYN Stealth Scan at 09:02, 0.16s elapsed (1000 total ports)

Initiating UDP Scan at 09:02

Scanning [1000 ports]

Discovered open port 123/udp on

Completed UDP Scan at 09:02, 4.25s elapsed (1000 total ports)

Initiating Service scan at 09:02

Scanning 1000 services on

Service scan Timing: About 0.40% done

Discovered open port 161/udp on

Discovered open|filtered port 161/udp on is actually open

Service scan Timing: About 3.30% done; ETC: 10:20 (1:15:42 remaining)

Service scan Timing: About 6.30% done; ETC: 10:03 (0:57:45 remaining)

Service scan Timing: About 9.30% done; ETC: 09:57 (0:50:23 remaining)

Service scan Timing: About 93.30% done; ETC: 09:46 (0:02:58 remaining)

Completed Service scan at 09:46, 2638.84s elapsed (1000 services on 1 host)

Initiating OS detection (try #1) against

Initiating Traceroute at 09:46

Completed Traceroute at 09:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 09:46

Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.05s elapsed

NSE: Script scanning

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 09:46

NSE Timing: About 96.30% done; ETC: 09:59 (0:00:30 remaining)

NSE Timing: About 96.30% done; ETC: 10:00 (0:00:31 remaining)

NSE Timing: About 96.30% done; ETC: 10:21 (0:01:17 remaining)

Completed NSE at 10:21, 2078.55s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 10:21

Completed NSE at 10:21, 5.02s elapsed

NSE: Script Scanning completed.

Nmap scan report for

Host is up (0.00s latency).

Not shown: 1000 closed ports, 998 open|filtered ports


123/udp open  ntp     NTP v4

| ntp-info: 

|   receive time stamp: 07/15/10 09:46:36

|   system: cisco

|  leap: 0

|   stratum: 2

|   rootdelay: 25.53

|   rootdispersion: 6.96

|   peer: 511

|   refid:

|   reftime: 0xCFE98F9B.EF8BC22B

|   poll: 6

|   clock: 0xCFE98FB1.E0211428

|   phase: -0.462

|   freq: -176.82

|_  error: 0.75

161/udp open  snmp    Cisco SNMP service

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: switch|WAP

Running: Cisco IOS 12.X

OS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)

Network Distance: 2 hops

Host script results:

|_ipidseq: Randomized

| qscan: 


| 1      0       62.50      0.53    0.0%     

| 3      0       62.80      0.42    0.0%     

|_65389  0       62.30      0.48    0.0%     

TRACEROUTE (using port 113/tcp)


1   0.00 ms

2   0.00 ms

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at .

Nmap done: 1 IP address (1 host up) scanned in 4739.89 seconds

           Raw packets sent: 13027 (543.796KB) | Rcvd: 1022 (41.304KB)

It looks like the router hop goes off of one of my L3 switches, but when I do a "sh arp | include", I don't get anything. How can I track this down to a port?

I have already look at the ARP table on the router ( and there is no entry.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 07/21/2010 - 13:53

Does your L3 switch have interface VLAN configured in the subnet? if it doesn't then you wouldn't be able to check the MAC address of with the "show arp" command. From the NMAP, it seems to be a Wireless Access Point (Cisco Aironet 1231G WAP (IOS 12.3)).

oneirishpollack Thu, 07/22/2010 - 05:31

Thanks for the reply.

Yes, the L3 switch utilizes VLANs and SVIs for internal routing. I guess one of the reasons I am confused is the router does have the following addresses in it's ARP table:

Internet              20   0001.a003.d235  ARPA   Vlan92
Internet              9   001e.c952.6478  ARPA   Vlan30
Internet           60   0019.3176.28fe  ARPA   Vlan7
Internet               -   0012.d94b.bc4a  ARPA   Vlan80
Internet             18   001b.23df.3382  ARPA   Vlan30
Internet             170   0000.4835.57dd  ARPA   Vlan90
Internet            9   001b.d59a.71a0  ARPA   Vlan7

So why can it record MAC addresses for these devices, but not the

Our VLANS are subnetted as follows: " is subnetted, 14 subnets"

Ultimately, if it were you, how would you try and track down this device?

Jennifer Halim Thu, 07/22/2010 - 09:43

The router has the ARP entries for all those VLAN because the router has interfaces in those VLANs.

You would need to have an interface in on the router for the router to be able to show you the ARP entries in that particular subnet/vlan.

If you check the output of "show ip int brief" on the router, you would see that those ARP entries that you see in the router would have the VLAN interfaces configured in the router. You probably do not have an interface from on the router, hence you don't see any ARP entries for that subnet in the router.

Hope that makes sense.

oneirishpollack Thu, 07/22/2010 - 11:05

It makes sense, but when I ping the address from a 10.4.8.x machine, it goes through the L3 switch utilizing SVIs. The tracert shows the following:

Tracing route to over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms
  2     1 ms    <1 ms    <1 ms

Trace complete.

So it must have a route or interface to to correct?


This Discussion