How to find the IP address of an access point that I'm connected to?

Solution 1:

(Assuming Linux system) Once you have the MAC address of the AP, e.g. via iwconfig:

$ iwconfig eth1

eth1     IEEE 802.11g  ESSID:"OSU_PUB"  
         Mode:Managed  Frequency:2.427 GHz  Access Point: 00:0D:9D:C6:38:2D
         Bit Rate=48 Mb/s   Tx-Power=20 dBm   Sensitivity=8/0  
         Retry limit:7   RTS thr:off   Fragment thr:off
         Power Management:off
         Link Quality=91/100  Signal level=-39 dBm  Noise level=-87 dBm
         Rx invalid nwid:0  Rx invalid crypt:860  Rx invalid frag:0
         Tx excessive retries:0  Invalid misc:39   Missed beacon:8

The AP has hw addr 00:0D:9D:C6:38:2D so you can use tcpdump to sniff for traffic from that hardware address, which usually will reveal the IP address of it as the source sooner or later:

$ tcpdump -i eth1 -s 0 -v -n ether host 00:0D:9D:C6:38:2D

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:15:49.106475 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 (00:0D:9D:C6:38:2D) tell 192.168.1.2, length 28

If the AP responds to broadcast pings you could probably send a broadcast ping to its specific MAC address to elicit a reply, but there doesn't seem to be a tool capable of doing that.

Solution 2:

I suppose you can turn on the promiscous mode of your wireless card and start wireshark ( http://www.wireshark.org/ ) That way you will likely be able to discover the subnet of the network.

When you see a TCP packet like this...

0000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
0010 xx xx xx xx xx xx xx xx xx c0 a8 01 01 c0 a8 01
0020 02 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
0030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

the c0 a8 01 01 = 192.168.1.1 and the c0 a8 01 02 = 192.168.1.2....

Solution 3:

The simplest way is usually to do netstat -rn and see what the default gateway is set to -- 99.9% of the time, that will be your access point's IP address. And it works on Linux, OS X or Windows.