Search

VPN Proxies Antivirus Online backup Streaming

Blog More Comparisons About Us

y Use Reviews
We are funded by our readers and may receive a commission when you buy using links on our site.
y OS/Device By OS/Device
Using Wireshark
y Country to get the IP address of an
Guides

Unknown HostCompare providers

uides
eviews

AARON PHILLIPS
Updated: December 29, 2023
Learn how to use Wireshark to pull the IP address of an unknown host
quickly and easily.

WHAT'S IN THIS
ARTICLE?

What are Wireshark and

IP Addresses?

Finding an IP address
with Wireshark using
ARP requests

Wireshark IP address
puller using DHCP
Wireshark is a powerful tool that can analyze traffic requests
between hosts on your network. But it can also be used
Getting the IP address
to help you discover and monitor unknown hosts, pull of an unknown host
their IP addresses, and even learn a little about the with Wireshark

device itself. Here’s how I used Wireshark to find the IP Wireshark IP Puller
FAQs
address of an unknown host on my LAN.
More Wireshark

What are Wireshark and IP Addresses? tutorials:

Wireshark is a network monitor and analyzer. It works

below the packet level, capturing individual frames and
presenting them to the user for inspection. Using
Wireshark, you can watch network traffic in real-time,
and look inside to see what data is moving across the
wire.

An IP address is a unique identifier used to route

traffic on the network layer of the OSI model. If you
think of your local network as a neighborhood, a network
address is analogous to a house number. When you
know the IP address of a host, it’s possible to access
and interact with it.

Get The Ultimate Wireshark

eBook for FREE
Learn everything there is to know about Wireshark.
From getting started to getting the most out of it
(inc. handy cheatsheet)

First Name Email

Please give consent to receive emails

SEND ME THE EBOOK!

Finding an IP address with Wireshark using

ARP requests

Address Resolution Protocol (ARP) requests can be

used by Wireshark to get the IP address of an unknown
host on your network. ARP is a broadcast request that’s
meant to help the client machine map out the entire host
network.
ARP is slightly more foolproof than using a DHCP
request – which I’ll cover below – because even hosts
with a static IP address will generate ARP traffic upon
startup.

To pull an IP address of an unknown host via ARP, I

started Wireshark and began a session with the
Wireshark capture filter set to arp, as shown above.

I then wait for the unknown host to come online. I used

my cell phone and toggled the WiFi connection on and
off. Regardless, when an unknown host comes online it
will generate one or more ARP requests. Those are the
frames you should look for.

I spotted the request and clicked on it. I used Wireshark’s

Packet details view to analyze the frame. I looked at
the Address resolution protocol section of the frame,
especially the Sender IP address and Sender MAC
address.
In this case, you can see my phone received an IP
address of 192.168.1.182 from the router, and you can
identify the device as an Apple phone by looking at the
vendor OUI.

Quick Guide Recap

Finding IP Address with Wireshark using ARP

Requests:

1. Initiate a Wireshark session with ‘arp’ as the

capture filter.

2. Wait for the target device to come online and

generate ARP requests.
3. Click on an ARP request to analyze it.
4. In ‘Packet details’ view, focus on ‘Sender IP
address’ and ‘Sender MAC address’ in the
‘Address resolution protocol’ section.

Wireshark IP address puller using DHCP

requests

Another easy way to determine the IP address of an

unknown host on your network is to use DHCP traffic.
This method only works if the host requests an IP
address.

If you’re dealing with a situation where someone has put

a malicious physical network device on your corporate
network; this method isn’t recommended – they’ve likely
set a static address. But for normal use, it works just as
well as ARP.
To capture DHCP traffic, I like to start a new session with
no capture filter and set the Wireshark display filter to
udp.port==67 as shown above. Then I waited for the
unknown host to come online and requested an IP
address from my DHCP server.

You can also force every host on your network to

request a new IP address by setting the lease time to an
hour or two and capturing network traffic. In this case,
you’d want to browse through hostnames until you find
the target client.

Note that the frame I captured has a source IP address

of 0.0.0.0. This is normal until the host is assigned a valid
IP address by the DHCP server.

I clicked on the captured frame, and looked at the

Packet details view. I browsed until I found the entry for
Bootstrap protocol and clicked the arrow to expand it

I scrolled through the list of options until I found the

Requested IP address, which showed what the DHCP
server attempted to assign. In just about every case this
correlates to the IP address of the host machine, despite
the fact it’s phrased as a request.

You can also find a handful of other useful options like

the IP address lease time and Host name of the
unknown client requesting an address.

Quick Guide Recap

Wireshark IP Address Puller Using DHCP

Requests:

1. Start a new Wireshark session without a

capture filter and set the display filter to
‘udp.port==67’.

2. Wait for the target device to come online and

request an IP address from the DHCP server.
3. Optionally, to force all hosts to request a new
IP, set the lease time to a short duration and
capture network traffic. Look for the target
client among the hostnames.
4. Click on the captured frame with a source IP
address of 0.0.0.0 (normal until the host is
assigned a valid IP address).
5. In ‘Packet details’ view, find and expand the
‘Bootstrap protocol’ entry.
6. Scroll to ‘Requested IP address’, showing the
IP address the DHCP server attempts to
assign (usually correlates to the host’s IP).
7. Other useful options to note include ‘IP
address lease time’ and ‘Host name’ of the
unknown client requesting an address.
Getting the IP address of an unknown host
with Wireshark

Those two methods are sure-fire ways to find the IP

address of an unknown host. Depending on your
network, there may be others. For instance, sending out
a broadcast ping will work in some situations when you
share a collision domain with the host. But especially for
home networking, where all devices are more or less
directly connected to a switch, analyzing ARP and DHCP
requests are the best choices for discovering an IP
address.

How to filter for destination IP with Wireshark

Wireshark IP Puller FAQs

Is it illegal to run Wireshark on a public network?

It isn’t illegal to run Wireshark on a public network.

However, pay attention to the Terms and Conditions of
the network you want to use Wireshark on. It may prohibit
the use of Wireshark, in which case you could be banned
from the network or even sued for using it.

How do I view the MAC address of a received

packet in Wireshark?

To view all of the MAC addresses in a captured packet

stream:

1. Open a packet capture file in Wireshark

2. Go to Statistics and then Conversations.

3. Click on the Ethernet tab.
You will see all of the MAC addresses from the captured
packets.

Can you pull OPs with Wireshark over wifi?

Yes. Wireshark can capture packets off of a WiFi network

as long as the computer it is installed on has a WiFi
transceiver and is in promiscuous mode. Wireshark uses
the Airpcap standard for wireless packet capture.

What devices can Wireshark use to capture

packets?

Wireshark captures packets through the network

interface of the computer that it is installed on. It can run
on Windows, Linux, macOS, FreeBSD, OpenBSD, Solaris,
and Unix.

How do I trace a specific IP address in

Wireshark?

If you only want to see the traffic to and from Wireshark

in a trace file, load it into Wireshark and then apply a
filter to the packet data. You enter this filter in the bar
across the top of the packet display pane where you will
see the words Apply a display filter. For example, if you
want to trace the activity of 192.168.0.12 you should
type in:

ip.addr == 192.168.0.12

This will filter the records in the display panel so that you
only see the packet going to or coming from that
address.
How do I get the IP address of a hostname in
Wireshark?

You don’t need to open up Wireshark to get the IP

address of a hostname or a domain.

1. Open a Command Prompt window and type in:

nslookup <hostname>

2. Type in the name of the host that you want to get

the IP address for instead of <hostname>.
3. If you already have Wireshark open and you want to
look in passing packets for the IP address of a
known hostname, open a packet stream in
Wireshark then enter a display filter. This should be:
ip.host == <hostname>
4. Give the name of the host instead of <hostname>.

More Wireshark tutorials:

Wireshark cheat sheet

How to decrypt SSL with Wireshark
Running a remote capture with Wireshark and
tcpdump
Wireshark ‘no interfaces found’ error explained
Identify hardware with OUI lookup in Wireshark
Best Wireshark alternatives

Net Adm in » Using Wireshark to get the IP address of an Unknown Host

Comments