← Back to Blog

Unknown Device on the Network: MAC Vendor Triage for Sysadmins

Network · May 26, 2026 · 4 min read

An unknown MAC address appears in your DHCP leases or ARP table. Use OUI lookup, port mapping, and traffic patterns to identify it fast.

Technical cover image for Unknown Device on the Network: MAC Vendor Triage for Sysadmins

An Unknown MAC Address Appears in Your DHCP Leases

You are auditing your network and find a DHCP lease for a device you do not recognize. Before panicking and assuming an intruder, run a systematic triage. Most unknown devices are benign: a new smart TV, a forgotten test VM, or a contractor's laptop that grabbed an IP last week.

The first stop is OpsCheck MAC Vendor Lookup. The OUI (first 3 bytes of a MAC address) identifies the manufacturer. A device claiming to be from "Apple" that shows up on a Windows-only network? Worth investigating. A device from "Sonos" on a network with smart speakers? Probably normal.

Triage Steps

# Find unknown MACs in your ARP table
arp -a | grep -v "incomplete"

# Check DHCP leases on your router/DHCP server
cat /var/lib/dhcp/dhcpd.leases | grep -E "^lease|hardware ethernet|binding state" | head -30

# Scan for the device's open ports if it is still active
nmap -sT -F 192.168.1.50

Mac Vendor Tells You What Kind of Device

The OUI assignment is not always accurate — virtual machines randomize their MACs, and some devices spoof the OUI. But it is the fastest first filter:

# Quick OUI lookup using the IEEE database locally
# Or use OpsCheck MAC Vendor Lookup for instant results

# Common OUI patterns:
# 00:1A:79 — Cisco
# 00:15:5D — Hyper-V
# 00:0C:29 — VMware
# 08:00:27 — VirtualBox

Real-World Scenario

A sysadmin noticed an unknown MAC address in the office DHCP leases at 3 AM. The OUI lookup returned "Raspberry Pi Foundation." Nobody in the office owned a Raspberry Pi. Investigation via switch port mapping showed it was connected to a forgotten PoE-powered Raspberry Pi running a network monitor that a previous contractor had set up two years earlier. It had been quietly monitoring SNMP and sending data to a now-defunct dashboard. No breach — just forgotten infra.

Use OpsCheck IP Geolocation to check if the device's IP has been communicating externally, and OpsCheck Port Scanner to see what services it exposes. A device with port 22 open at 3 AM is a different risk profile than one with only port 80 listening during business hours.

# Map the MAC to a switch port (Cisco example)
# show mac address-table | include aabb.ccdd.eeff

# For unmanaged switches, physically trace the cable
# or disable the switch port and see who complains

Triage Checklist

  • Look up the OUI — manufacturer gives you a strong device-type hint
  • Check the DHCP lease time — was this a transient device or persistent?
  • Map to a switch port if you have managed switches
  • Scan open ports — a printer on port 9100 is different from an SSH server
  • Check external communication patterns via firewall logs

Related Articles

CIDR Overlap in VPN and Private Networks: How to Find Bad Subnet Planning May 23, 2026 · 5 min read IP and ASN Ownership Checks: Confirming Who Really Announces an Address May 24, 2026 · 5 min read Wrong IP Geolocation After Server Migration: What You Can and Cannot Fix May 25, 2026 · 5 min read
← Back to Blog