Occasionally, one discovers what may appear to be a rogue or unidentified device on the local home network. The IP address is known, but little else. This HOWTO shows one way to convert that IP address to a MAC address, then a manufacturer.
Recently, Little Snitch, a security tool, threw up a notice about something odd happening with one of my devices. (I'm still working on figuring that part out with the help of Cocoatech Support, maker of Path Finder. Note: 4/1/2009: turns out to be an aggressive Samba search by Path Finder --- something that can be suppressed in PF's preferences.) By the way, Little Snitch is a tool I highly recommend. Anyway, here's the dialog I got.
Little Snitch Doing Its Job -- And Creating a Mystery
My first question was, "What MAC address is this?" The MAC address is the Media Access Control (MAC) address assigned according to the Institute of Electrical and Electronics Engineers (IEEE) standard for identifying Ethernet devices. The hexadecimal number is in the form XX:XX:XX:YY:YY:YY where XX:XX:XX identifies the manufacturer and YY:YY:YY identifies the device ID assigned by the manufacturer. XX or YY ranges from 00 to hexadecimal FF (0 to 255)
For example, the leading XX:XX:XX of 00:22:41 is assigned to Apple. Even though there can be 256^3 = 16.7 million devices per manufacturer code, many companies like Apple need more than one of the manufacturer codes. For example, Apple also has: 00:21:E9. And many others in fact.
Dumping the ARP Cache
Sounds cool, huh? If you can dump you computer's ARP cache, then you've achieved guru status. The way to do this is to open the Terminal app and ping the suspicious IP address. As an analogy, think of that as something like a submarine sending out a sonar ping. It bounces off the target and returns information.
$ ping 192.168.1.2
Hit CTRL-C to stop after a few seconds. When your UNIX system pings the other device, it's really using the MAC addresses. You can dump that ping information with the following command in the Terminal:
$ arp -a
When you do this, you may also see other devices that have communicated recently. Now we know the MAC address of the device with IP address 192.168.1.2, and it starts with 00:22:41. (I've obscured some of the data with a red block for the sake of privacy.)
The next step is to go the IEEE Standards Association Website that has the "Organizationally Unique Identifier" (OUI) database and enter the first three hex codes, with the colons replaced by dashes:
Convert 00:22:41 to 00-22-41 and Enter in Search Field
When I did that, the results came back as follows:
That assured me that the device in question was indeed an Apple product. Once I realized that, I looked for other Apple products in my office. It turned out to be an iPhone.
Researching Your Network
Recently, I made a list of all my MAC addresses for equipment I own, but I forgot to add the MAC address of the iPhone. So when I saw a mysterious MAC address, I got curious and decided to dig further. Using the techniques above really helped.
Finally, there is a Mac OS X GUI app called IP Scanner from 10base-t-interactive Software that will show you all the devices on your network and also reveal the MAC address. It is a bit on the expensive side (US$30) but it's great for users who don't feel comfortable on the command line. I found it to be a little bit buggy as well. Also, it will not look up the OUI code, so you'll still have to do that yourself.
This technique can also come handy when you're trying to identify some of your HDTV components, if you've added them to your LAN. Sometimes, manufacturers of TV equipment aren't so forthcoming or experienced as they add Ethernet capability to their TV devices. For example, I have a Samsung device with Ethernet, but the company doesn't (choses not to) supply the MAC address. Some investigation is then required using the above techniques.