Finding IP address of a device on a network.

[zippy] I get asked this question once in a while:

“When I plug in a new device to the network, fresh out of the box and it defaults to getting an IP address via DHCP: how the heck do I find its IP address once it’s powered on?”

In other words, it’s the networking version of “Where’s Waldo?”

The first thing to do is to find the unique MAC address identifying the device which is often labelled on the rear or bottom of the device.  The MAC address is always 12 hex [0-9,A-F] characters long. Example: 0C:4F:22:77:8C:90.

On a small home network, it’s pretty easy to find the device’s IP address.  You can simply login your home router and usually there is an list of devices currently connected to your router.  Find the device matching the MAC address and you’ll find out what its IP address is.

However, on a larger network where you don’t have admin access to the network’s router and don’t want to bother the busy network administrator, this can present a challenge to find which IP address was assigned to your device. On a /24 network, there are 254 usable IP addresses or on a /23 network, there are 510 usable IP addresses.

For this example, a managed switch is powered on the network and it has a HTTP web admin tool on port 80.  You could attempt to find it by visiting each IP address in your web browser. Let’s face it, it would be cumbersome and could take a very long time before you finally hit upon the managed switch.  If you power off the managed switch and turn it back on, it could get a different IP address and you would have to start searching for it all over again!

The easy & lazy (expert) method:

Fortunately, there is a network tool called nmap (or zenmap if want a nice GUI interface). I prefer to use nmap in a native Linux environment so if I’m on OSX or Windows machine, I fire up a Ubuntu virtual machine that has been set with a bridge to the network.  There are nmap versions for Windows and OSX if you don’t have access to Ubuntu. I haven’t personally used them so I can’t attest how well they work.

The managed switch has an open port 80 for its HTTP web admin, so it’s possible to take advantage of that fact to narrow down the search.  The resulting list should also ignore all IP addresses don’t have anything running on port 80 and list only those IP address that have port 80 open.


$ nmap -p 80 --open > results.txt

nmap will connect at port 80 on all usable IP addresses ranging from to then dump the results into a file called results.txt

If you look in results.txt, you’ll find entries such as this one:

Nmap scan report for
Host is up (0.0072s latency).
80/tcp open  http

Results show that has something running on port 80. However, note that there’s still no MAC address listed for The list has to display the MAC addresses so that you can find the IP address that corresponds with your device’s MAC address.

Run the same nmap command but with sudo privileges:

$ sudo nmap -p 80 --open > results.txt


Nmap scan report for
Host is up (0.00085s latency).
80/tcp open  http
MAC Address: 00:00:74:E8:D1:42 (Ricoh Company)

MAC addresses now show up in results.txt with the accompanying IP address. Search for your device’s MAC address and you’ll see its current IP address on the network.

Note: the machine that you use to run the nmap search must be on the *same* network as the device in order for you find its MAC address.

This entry was posted in Networking. Bookmark the permalink.