Network Recon – Identifying the Location of Equipment on a Network

Reading Time: 4 minutes


Frequently, it will be required to identify where on the network a device or piece of equipment is connected. This type of reconnaissance can usually be accomplished using information gleaned from typical network protocols and applications.

The process consists of tracing the hardware or MAC address for a piece of equipment to the switch port that it is connected to. The MAC address can be determined if the corresponding IP address is known by checking the ARP cache of computer that can communicate with the device. For example, to determine where a device with the IP address of is located, you would first ensure that the MAC address has been learned by a computer on the same IP network to obtain the MAC address.


Pinging with 32 bytes of data:
Reply from bytes=32 time<1ms TTL=255
Reply from bytes=32 time<1ms TTL=255
Reply from bytes=32 time<1ms TTL=255
Reply from bytes=32 time<1ms TTL=255
Ping statistics for<
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>arp -a

Interface: — 0xb
Internet Address      Physical Address      Type           c0-ea-e4-ec-2e-5a     dynamic         00-50-B6-68-0F-C1     dynamic         ff-ff-ff-ff-ff-ff     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fb     static           01-00-5e-00-00-fc     static       01-00-5e-7f-ff-fa     static       ff-ff-ff-ff-ff-ff     static

Once you learn the MAC address (00-50-B6-68-0F-C1 in the example above), you can check the MAC Address Table of the LAN switch to determine which switch port or interface that MAC address came from. This should indicate a port or interface that equipment is directly connected to. In this example, the device with the MAC address of 00-50-B6-68-0F-C1 is connected to the switch port gi1/0/16.

switch#sh mac address-table
Mac Address Table
Vlan    Mac Address       Type        Ports
—-    ———–       ——–    —–

All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0180.c200.0000    STATIC      CPU
All    0180.c200.0001    STATIC      CPU
All    0180.c200.0002    STATIC      CPU
All    0180.c200.0003    STATIC      CPU
All    0180.c200.0004    STATIC      CPU
All    0180.c200.0005    STATIC      CPU
All    0180.c200.0006    STATIC      CPU
All    0180.c200.0007    STATIC      CPU
All    0180.c200.0008    STATIC      CPU
All    0180.c200.0009    STATIC      CPU
All    0180.c200.000a    STATIC      CPU
All    0180.c200.000b    STATIC      CPU
All    0180.c200.000c    STATIC      CPU
All    0180.c200.000d    STATIC      CPU
All    0180.c200.000e    STATIC      CPU
All    0180.c200.000f    STATIC      CPU
All    0180.c200.0010    STATIC      CPU
All    ffff.ffff.ffff    STATIC      CPU
1    2852.61f9.3d98    DYNAMIC     Gi1/0/1
1    c4b9.cdd6.f030    DYNAMIC     Gi1/0/10
1    0050.B668.0FC1    DYNAMIC     Gi1/0/16
1    0000.7478.d5fc    DYNAMIC     Gi1/0/25
1    0000.aaad.15e6    DYNAMIC     Gi1/0/22
1    0000.aaad.1629    DYNAMIC     Gi1/0/12
1    0000.aaad.1650    DYNAMIC     Gi1/0/46
1    0000.aaad.168c    DYNAMIC     Gi1/0/11
1    0000.aaad.16b4    DYNAMIC     Gi1/0/44
1    0000.aaad.1830    DYNAMIC     Gi1/0/19
1    0000.aaad.2d05    DYNAMIC     Gi1/0/24
1    0000.aae4.a170    DYNAMIC     Gi1/0/24
1    0001.e64f.f534    DYNAMIC     Gi1/0/24

In larger environments where several switches might be interconnected you may be directed to a port connecting to a different switch.  This is usually indicated by several MAC addresses all being associated with the same switch port.  In the example above several MAC addresses are associated to switch port gi1/0/24.  You could physically trace the cable connected to port gi1/0/24 to the next switch.  Alternatively, you could also use network management protocols, such as the Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) to determine which switch is connected to that port.

switch#show cdp neighbors detail
Device ID: switch1
Entry address(es):
IP address:
Platform: cisco WS-C2960X-48FPD-L,  Capabilities: Switch IGMP
Interface: GigabitEthernet1/0/24,  Port ID (outgoing port): GigabitEthernet1/0/48
Holdtime : 159 sec

Version :
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX5, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 21-Feb-14 05:54 by prod_rel_team

advertisement version: 2
Protocol Hello:  OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022501000000000000E0899D2D2280FF0000
VTP Management Domain:
Native VLAN: 1
Duplex: full
Management address(es):
IP address:


In this scenario, you would next log on to the switch (switch1 – connected to port gi1/0/24 of the first switch and repeat the same process of checking the MAC Address Table. Continue this procedure for each subsequent switch until you find the dedicated port where the device directly plugs into and establishes the end-to-end connectivity across the network.

These basic techniques are not only useful in determining where equipment is located on a network, but can also be used to develop a diagram of the logical network topology as part of a discovery process.

Did you find this article helpful? Tell us what other tech tips you would like to see.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.


Join 14,000+ business executives and decision makers

Upcoming Events

Upcoming Events

Latest Insights

About The Author