AV Police Squad

WireShark Week

I must have angered the AV gods. I came to a site without my USB to serial cable adapter, and had to connect to an audio DSP mixer. No one knew the IP address of the device (which can be queried fairly easily with a serial terminal program). And after trying several subnets unsuccessfully, I was just about ready to pack things up, dreading having to explain to the client what a dumb-dumb-dummy (that’s what my sister used to call me) I was to the client. Just as I was making the call, I figured: Let me just check the intertubes to see if someone figured it out.

And the people at Biamp did just that. They rocked my world so hard.

Wireshark_featI’ve rarely used WireShark for anything but sniffing network traffic. However, that was about to change. Biamp had an FAQ answer about my exact dilemma: “Finding the IP address of a device using its Ethernet port.” As it turns out, if you have a crossover cable or a simple switch (the simpler the better in this case), you can sniff the network for 60-90 seconds after plugging the network cable in to the device, and then filter the results by MAC address!

What did I just say?

I got the gist right away: use WireShark to “listen” for any device communicating on the network with a particular MAC address, and then get its IP addy. However, I had some questions:

  1. What if I don’t know the MAC address of my device? Well, my friend, you just need the first three octets of the MAC address, which are manufacturer-specific. All Biamp MAC addresses start with 00:90:5e, for example. All Extron MAC addresses start with 00:05:a6. These are easy to find out, even if you don’t have them committed to memory like some sickos out there.
  2. What if I’m on a different subnet? This is where the “simple” switch or, preferably, a crossover cable comes into play. You are definitely looking for packets that would not be routed to your NIC (or else the software would simply find the device), so you need a connection that will allow you to look at packets in “promiscuous mode.” In other words, this will not work on a managed router or corporate network. You’ll get locked down faster than…uh…well, something that happens fast. But, with a simple network (dumb switch, hub or crossover cable), you should be able to listen to any device connected to your simple network.
  3. Have you seen how much network traffic there is? And you want me to search for six little numbers of a MAC address?! Well, that is where WireSharks GUI comes in. You just need to type in “src[:3]==00:90:5e” to look for a Biamp device (or, as another example, “eth.src[:3]==00:05:a6” to look for an Extron device) into the filter field, and the transmitting IP address that shows up in the filtered field will be the device you are looking for. In other words, “eth.src[:3]” is the command that asks WireShark, “’Scuse me, buddy. Do you know any device on this here network whose MAC address starts with the next three octets? Please and thank you.”

As luck would have it, I had a crossover cable. I found my mixer, thanks to the good folks at Biamp. I was able to save the day. Well, I was able to connect to the mixer at least and fiddle with stuff.

It just goes to show you that as long as you show respect, talk nicely to all devices and give a few gentle massage here and there, even when you think you’ve angered them, the AV gods will smile down upon you when you least expect it.

Previous ArticleNext Article

Send this to friend