OT How can I connect to anonymous device with only MAC address known.

The device in question is a network management card for an UPS which I have acquired. I know the MAC address but nothing else. The card may have a fixed IP or have DHCP enabled but what should I connect it to in order to interrogate the IP traffic to the device and find the IP address? I assume some scanning setup is required but any help would be appreciated.

Hi Budge,

If you have access to the GUI of your ISP I’d just hook the device to it resp. to your LAN and check the GUI which device has been connected. I’d expect it to connect to a DHCP server. Then you can use further tools as nmap or wireshark.
If it has a fixed IP setting it won’t reply unless addressed correctly - MAC address may not be enough, IMHO. Other idea: check the brand and type and ask the duck for a manual which may give away the default settings or possibly reset options.

Hi and many thanks. Unfortunately I can no longer access the best ISP direct router connection at all times but shall plan to get to it in the next couple of days. The other ISP connection is via a firewall router so scanning may not work for long!

I tried the device on my local switch subnet which has DHCP enabled but the device did not connect so I assume it has been given a static IP in another life or has other security set. I am meanwhile reading to find out about resetting but not found it yet.

Thanks for your suggestions.

If it is not replying to DHCP you might try wireshark and see if any unknown/“alien” IP is calling somewhere.

If that is no option you might also use nmap for a network scan:

man nmap
       Sometimes you wish to scan a whole network of adjacent hosts. For this, Nmap supports CIDR-style addressing. You can append /numbits to an IP address or hostname and Nmap will scan every IP address for which the first numbits
       are the same as for the reference IP or hostname given. For example, would scan the 256 hosts between (binary: 11000000 10101000 00001010 00000000) and (binary: 11000000 10101000 
       00001010 11111111), inclusive. would scan exactly the same targets. Given that the host scanme.nmap.org is at the IP address, the specification scanme.nmap.org/16 would scan the 65,536 IP 
       addresses between and The smallest allowed value is /0, which targets the whole Internet. The largest value for IPv4 is /32, which scans just the named host or IP address because all address bits are 
       fixed. The largest value for IPv6 is /128, which does the same thing. 
   CIDR notation is short but not always flexible enough. For example, you might want to scan but skip any IPs ending with .0 or .255 because they may be used as subnet network and broadcast addresses. Nmap 
   supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet. For example, 192.168.0-255.1-254 will skip all addresses in 
   the range that end in .0 or .255, and 192.168.3-5,7.1 will scan the four addresses,,, and Either side of a range may be omitted; the default values are 0 on the left and 255 on 
   the right. Using - by itself is the same as 0-255, but remember to use 0- in the first octet so the target specification doesn't look like a command-line option. Ranges need not be limited to the final octets: the specifier 
   0-255.0-255.13.37 will perform an Internet-wide scan for all IP addresses ending in 13.37. This sort of broad sampling can be useful for Internet surveys and research.

It is still tedious to go through all possible subnets. So you could write a small bash script to let it do that work.

If you know the MAC address you can set the ip address with arp, if you read the installation manual about that device, it shows you how to do it…

See page 14 https://download.schneider-electric.com/files?p_File_Name=990-3404F-EN.pdf&p_Doc_Ref=SPD_PMAR-96DHBM_EN&p_enDocType=User+guide

Hi Malcom, many thanks, seems like the way to go.

I had not been sure what the device should be plugged into. A port on my lan or my laptop nic and if the latter should it be set up as dhcp or with a fixed IP and in that case should I also have wifi connection up or down. So far I have:-

alastair@localhost:~> sudo arp-scan -s 00:c0:87:6a:ca:cb 
Interface: wlp3s0, type: EN10MB, MAC: 3c:a9:f4:56:ee:8c, IPv4: 
WARNING: get_host_address failed for "00:c0:87:6a:ca:cb": Name or service not known - target ignored 
ERROR: No hosts to process.


Tried most things and still no connection. Could it have some security settings which frustrate arp-scan?

Install net-tools-deprecated and use arp, not arp scan (cnf arp). Not sure why you don’t connect via serial interface?

Ok and thanks for the info on arp. Why deprecated I wonder. Will try again.

Last time I tried to make a serial connection I had no luck at all. Will keep trying.

Actually my attempt to use the serial connection was with the AP9630 but I have those cards sorted now. My problem on one AP9819 is that there is no serial port on that card!

I would use wireshark and look for the MAC address (add a filter) to see what’s what…

A lot of reading for wireshark!!! I think I have it now and scanning is working but a couple of queries.

How do I set the filter to include arp and dhcp traffic and how do I filter output to look for the MAC address I have. No sure how to do this.

I assume I start the scanning and then turn on the UPS which will boot the NMC and look for the results. Is that right?

Yes, need to have it running, you would add eth.addr == xx:xx:xx:xx:xx:xx as the filter.

Well wireshark is brilliant and now I have the IP address. Trouble is my resetting did not reset the password. The instructions suggest using serial but I have not bee able to get that working because there is no RS232 or any other socket that works so…
Back to the reading. It is possible that the reset button only works for a short time and then reverts on next boot so will keep trying.
I can’t yet find the coffee button on wireshark but it must be there somewhere as it does everything!
Regards and thanks for the help.

Did you try the arp and then the additional ping command (very important) to change the ip address?

I understand and yes but could not get a ping response. I suspect the various firewalls in between but since I had the device to hand and knowing the configured IP, I was nearly there. I had to use the serial port, which I found, in this case not on the card but on the machine into which it fits and that enabled me to change the pw. I could then access the device using browser and change the IP.
Then an hour upgrading each bin file through several upgrade versions and rebooting between each “put” command so now all devices are up to date and accessible.
So far so good.