cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tcrlansweeper
Engaged Sweeper III

On our asset list we have around 50 of these "webservers" with almost no information, I am not sure what lansweeper is looking at to get the info or where it comes from. They look like this: 

tcrlansweeper_0-1660329826934.png

 

When I visit the associated IP address, it goes to this generic Sophos screen: 

tcrlansweeper_1-1660329905135.png

We use a Sophos firewall and have Sophos clients installed on each computer, and the ESMTP makes me think it's something do with how our Sophos filters emails, but I don't really have much else to go on. I would love if someone could direct me on how to get some more information on these "webservers."

Thank you!

1 ACCEPTED SOLUTION

It looks like this person had the same issue scanning on a network with a Sophos firewall:
Scanning a public IP shows me my own firewall's information : nmap (reddit.com)

The firewall is acting as an email proxy to ensure all outbound email is scanned. This person disabled the proxy on the firewall to resolve the issue but if you're relying on that for email filtering I would recommend creating exceptions in Lansweeper instead.

View solution in original post

16 REPLIES 16
mkhuber1
Engaged Sweeper III

A cause for the MAC address not to show up is if the device is on another subnet or different VLAN

Nisanth
Engaged Sweeper II

Though if a reply packet is received by the host scanning an IP on another subnet/VLAN a MAC address will be associated with that packet, even if that address has been altered to mask the source device. Haven't seen a switch or firewall normally forward packets without source MAC address but I figure it's possible.

Would there be any other way to figure out the MAC address since advanced IP scanner isn't finding anything?

My mistake on this, scanning with tools like Advanced IP Scanner won't show MAC addresses for IPs on different subnets/VLANs per mkhuber1. That info needs to be pulled from routers or switches that route that subnet/VLAN, so try the below per mkhuber1's other post:

"When I run into "unknowns" like this I use the ARP cache on a router or core switch to find the MAC Address and then lookup that MAC to find the NIC manufacturer."

RCorbeil
Honored Sweeper II

From your screencap, I'd guess that the device is being identified as a web server because it's running an FTP server. When you try to visit the IP address, you're likely using a web browser and trying to connect to an HTTP server, which the device isn't running, so it's no surprise you can't connect. Try using an FTP client and you should get a response. (If you can't do it from the command line, grab a copy of Filezilla.)

Update, I wasn't able to connect to an ftp server through filezilla or cmd, the connection just times out every time. Thanks for the suggestion

mkhuber1
Engaged Sweeper III

When I run into "unknowns" like this I use the ARP cache on a router or core switch to find the MAC Address and then lookup that MAC to find the NIC manufacturer.

Some times the NIC manufacturer is enough to give some kind of clue about the device.

Thank you, I will try to figure out how to do this

Also check if the associated IPs belong to your computers that have the Sophos client installed on them. Though I can't see why a client would have a running and open?? SMTP service.

Now that I think of it, if I recall correctly from the one time that I scanned network subnets on a network that had a Sophos firewall, it returned odd results for IP addresses/subnets that couldn't be scanned - possibly similar results to what you're seeing where it was showing an FTP or SMTP service on those IP addresses. Try scanning your subnets using a tool like Advanced IP Scanner. If you see similar results it's mostly likely caused by a configuration on the Sophos firewall.