Using Wireshark to get the IP address of an Unknown Host

Wireshark is a powerful tool that can analyze traffic between hosts on your network. But it can also be used to help you discover and monitor unknown hosts, find their IP addresses, and even learn a little about the device itself. Here’s how I use Wireshark to find the IP address of an unknown host on my LAN.

What are Wireshark and IP Addresses?

Wireshark is a network monitor and analyzer. It works below the packet level, capturing individual frames and presenting them to the user for inspection. Using Wireshark, you can watch traffic in real-time across your network, and look inside to see what data is moving across the wire.

An IP address is a unique identifier used to route traffic on the network layer of the OSI model. If you think of your local network as a neighborhood, an IP address is analogous to a house number. When you know the IP address of a host, it’s possible to access and interact with it.

Taking Wireshark to the next level

Wireshark is very good at what it does, but out of the box, it only offers basic functionality. Once you discover the IP address of an unknown host, you may want to be able to visualize its performance on the network.

SolarWinds Response Time Viewer for Wireshark (FREE TOOL)

SolarWinds Response Time Viewer for Wireshark is a free plugin for Wireshark that lets you monitor lag time across your network. If your machines are running slowly, and you need to figure out why, it’s an excellent tool for the job.

SolarWinds response time viewer for Wireshark

SolarWinds Response Time Viewer for WiresharkDownload 100% FREE Tool

 

SolarWinds Network Performance Monitor (FREE TRIAL)

They also offer a full-featured Network Performance Monitor (NPM) for enterprise networks. The SolarWinds Network Performance Monitor can calculate application response time, ping your devices with intelligent alerts, create performance baselines, and even monitor your entire Cisco stack. Comparitech readers can try it out risk-free for 30 days.

SolarWinds Network Performance Monitor image

SolarWinds Network Performance MonitorDownload 30-day FREE Trial

 

Finding an IP address with Wireshark using ARP requests

Address Resolution Protocol (ARP) requests can be used by Wireshark to get the IP address of an unknown host on your network. ARP is a broadcast request that’s meant to help the client machine map out the host network.

ARP is slightly more foolproof than using a DHCP request – which I’ll cover below – because even hosts with a static IP address will generate ARP traffic upon startup.

IP Address with Wireshard - Step 1

To get an IP address of an unknown host via ARP, start Wireshark and begin a session with the Wireshark capture filter set to arp, as shown above.

IP Address with Wireshard - Step 2

Then wait for the unknown host to come online. I’m using my cell phone and toggling the WiFi connection on and off. Regardless, when an unknown host comes online it will generate one or more ARP requests. Those are the frames you should look for.

IP Address with Wireshard - Step 3

Once you’ve spotted the request, click on it. Use Wireshark’s Packet details view to analyze the frame. Look at the Address resolution protocol section of the frame, especially the Sender IP address and Sender MAC address.

In this case, you can see my phone received an IP address of 192.168.1.182 from the router, and you can identify the device as an Apple phone by looking at the vendor OUI.

Finding an IP address with Wireshark using DHCP requests

Another easy way to determine the IP address of an unknown host on your network is to use DHCP traffic. This method only works if the host requests an IP address.

If you’re dealing with a situation where someone has put a malicious device on your corporate network; this method isn’t recommended – they’ve likely set a static address. But for normal use, it works just as well as ARP.

IP Address with Wireshard - Step 4
To capture DHCP traffic, I like to start a new session with no capture filter and set the Wireshark display filter to udp.port==67 as shown above. Then wait for the unknown host to come online and request an IP address from your DHCP server.

You can also force every host on your network to request a new IP address by setting the lease time to an hour or two and capturing traffic. In this case, you’d want to browse through hostnames until you find the target client.

IP Address with Wireshard - Step 5

Note that the frame I captured has a source IP address of 0.0.0.0. This is normal until the host is assigned a valid IP address by the DHCP server.

Click on the captured frame, and look at the Packet details view. Browse until you’ve found the entry for Bootstrap protocol and click the arrow to expand it.

IP Address with Wireshard - Step 6

Scroll through the list of options until you find the Requested IP address, which shows what the DHCP server has attempted to assign. In just about every case this correlates to the IP address of the host machine, despite the fact it’s phrased as a request.

You can also find a handful of other useful options like the IP address lease time and Host name of the unknown client requesting an address.

Getting the IP address of an unknown host with Wireshark

Those two methods are sure-fire ways to find the IP address of an unknown host. Depending on your network, there may be others. For instance, sending out a broadcast ping will work in some situations when you share a collision domain with the host. But especially for home networking, where all devices are more or less directly connected to a switch, analyzing ARP and DHCP requests are the best choices for discovering an IP address.