http://www.perlmonks.org?node_id=68380

magoo has asked for the wisdom of the Perl Monks concerning the following question:

If I have a remote IP address, how could I resolve it to find the corresponding MAC address ? Thanks.

Replies are listed 'Best First'.
Re: How can I find a MAC address from aremote IP ?
by arhuman (Vicar) on Mar 30, 2001 at 19:06 UTC

    NetPacket::ARP should be able to do the job...
    or using `arp -a` and a regex (dirty but works on unix and windows...)

    (It may be useful to ping the host before using arp
    to refresh the arp table in the case the entry is not present)


    "Only Bad Coders Badly Code In Perl" (OBC2IP)
      Hmm.. You sure arp works on a distant remote IP?
      From memory, it's only local subnet.
      Plus, I don't think you get a valid MAC address from a PPP link either.

        Nothing is going to tell you the MAC address of something that is not within your local broadcast domain! You'd have to get some code to run in the local broadcast domain of the remote IP address and have it forward you the information.

        And PPP links don't have MAC addresses. A MAC address is an Ethernet thing and you don't run PPP over Ethernet.

        So I would assume that the original question was asking for a MAC address of an Ethernet (and non-PPP) adapter that was not local to the computer but that was in the local broadcast domain -- nothing else makes much sense. So ARP is the most logical answer.

                - tye (but my friends call me "Tye")
        Oops ! You're right arp will only work with local IP addresses...
        (I always forget to mention...)

        "Only Bad Coders Badly Code In Perl" (OBC2IP)
Re: How can I find a MAC address from aremote IP ?
by ChOas (Curate) on Mar 30, 2001 at 19:03 UTC
    Hey

    I don`t know how deep Perl can go under the IP stack
    but just one comment:

    If you are looking at a remote IP the only source MAC
    address you will find on that packet is the one of the
    last router/host/hop it went through...

    I hope that is what you are looking for, coz it wont
    get any better than that

    GreetZ!,
      ChOas

    print "profeth still\n" if /bird|devil/;
      I have a similar problem. Somewhere on our network there is a RAS that's bugging my SCO UNIX box every few seconds. The result is the bootp program filling the syslog with error messages about a bad address from this MAC address. The address is 52.41.53... and that's a RAS. But I can't find this offending device by the MAC address. I found some software that hunts down all the MAC addresses on my subnet, but no further. Any suggestions?
        Total non Perl reply, but just a reply to try and help you:
        There is no way that you can find MAC addresses outside
        your subnet, in fact,all ARP and RARP requests are
        limited to the segment(s) you`re in...(searching from)


        GreetZ!,
          ChOas

        print "profeth still\n" if /bird|devil/;
      im really sorry i have no idea about it but if u want any info abt ip address just visit this site http://www.ip-details.com
Re: How can I find a MAC address from aremote IP ? (MAC n' IP cheese)
by ybiC (Prior) on Mar 30, 2001 at 22:47 UTC
    As wise monks have already stated above:
    • arp only works for IP address from your local (segment|subnet|broadcast domain)
    • if you try to arp-resolve an IP address from a different subnet, the resulting MAC address will be that of the router interface nearest you.
    • MAC addresses are an Ethernet (not PPP) thang
    Token-Ring and FDDI devices also have MAC addresses but, IIRC, you get into (big|little)-endian stuff there.   Arcnet and Appletalk used their own funkomatic hardware addressing schemes.

    If you are indeed looking for the MAC address of a local-to-your-LAN-segment device, (code) MAC n' IP cheese includes code of OWTDI.
        cheers,
        Don
        bumbling toward Perl Adept
        (it's pronounced "why-bick")

    Update: I was thinking of IPv4 only.   As lhoward points out, IPv6 is substantially different.

    Update 2: Working from riffraff's Re: Re: Re: How can I find a MAC address from aremote IP ? post above, I found that (code) MAC n' IP cheese can work for remote segments just by replacing the "Querying ARP table..." section with snmpwalk <router_name_or_address> <community_string> IpnetToMediaPhysAddress

    Woo-hoo!   8^)

Re: How can I find a MAC address from aremote IP ?
by lhoward (Vicar) on Mar 30, 2001 at 22:32 UTC
    I can think of a few ways, but they're kind of out there and won't work most of the time:
    • If the remote box is running SNMP and you know its community string you can SNMP poll it to get its mac address
    • If the entire path from you to the remote host is IPv6 and not IPv4, the boxes MAC address is part of its IPv6 address by default (this can easily be overridden).
    Why do you need the remote box's MAC address? If you're trying to use MAC address to uniquely identify users or something like that MAC (or any type of network address) is not the way to do it.
      Sometimes I need to locate quickly a computer in the buidling and the only information I have at first, is the IP address (and most of the time, it's a DHCP IP address, so there is many places possible it could be).

      With the MAC address, it's easy to locate on which port of a switch it is plugged. And when i know on which port of the switch it is plugged, I know where in the building the computer is. There's many switchs and routers, so I wanted to have a little perl script which would quickly gather all the informations on a machine.

      I think my problem is more how to use SNMP to get what I want than a Perl one. Net::SNMP seems the way to do it. I just need to find how, but that's not a perl issue now :)

        On the other hand, there is a mac address to ip address mapping in snmp mib variables (as long as your switch supports it). Without looking it up, it might be something like PhysAddrToInetAddr. ....

        Nope, wait, after just looking it up, ip.ipNetToMediaTable.ipNetToMediaEntry.* is what you want.

        snmpwalk <switchname> <communityname> IpNetToMediaEntry

        Will list all (I believe) ports, which ip address is on that port, and which mac address is associated with that ip address.

        That could help, I guess.

        riffraff

        Sounds to me like you have 2 possible angles to attack this problem:
        • use SNMP to query the switches to see which IP is on which port. Its been a long time since I've written an SNMP poll for a switch, but if I remmember right I think the info you want is in the Bridge MIB.
        • The static IP's should be pretty easy to locate. For the dynamics you could query the DHCP server(s) to see what MAC a particular IP is assigned to. This may or may not be doable (and may or may ont be doable via SNMP), it depends on the capability of your DHCP server.
Re: How can I find a MAC address from aremote IP ?
by Anonymous Monk on Jan 08, 2003 at 14:03 UTC
    i only know how to do it in dos... "nbtstat -a remote_ip" or "nbtstat -A remote_host"

      Nope, that's not DOS, that's Windows. And it simply does not work. It asks the remote host via Microsoft propritary protocols for its MAC address. Already a simple samba server simply responds with a faked MAC of 00-00-00-00-00-00, and if the host does not respond to MS protocols, it returns "host not found":

      Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. H:\>nbtstat -a enterprise Local Area Connection: Node IpAddress: [192.168.1.20] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- ENTERPRISE <00> UNIQUE Registered ENTERPRISE <03> UNIQUE Registered ENTERPRISE <20> UNIQUE Registered ENTERPRISE <00> UNIQUE Registered ENTERPRISE <03> UNIQUE Registered ENTERPRISE <20> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered XXXXX <1D> UNIQUE Registered XXXXX <1B> UNIQUE Registered XXXXX <1C> GROUP Registered XXXXX <1E> GROUP Registered XXXXX <00> GROUP Registered XXXXX <1D> UNIQUE Registered XXXXX <1B> UNIQUE Registered XXXXX <1C> GROUP Registered XXXXX <1E> GROUP Registered XXXXX <00> GROUP Registered MAC Address = 00-00-00-00-00-00 H:\>nbtstat -a galileo7 Local Area Connection: Node IpAddress: [192.168.1.20] Scope Id: [] Host not found. H:\>ping galileo7 Pinging galileo7.xxxxx.xxx [192.168.1.1] with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time<10ms TTL=64 Reply from 192.168.1.1: bytes=32 time<10ms TTL=64 Reply from 192.168.1.1: bytes=32 time<10ms TTL=64 Reply from 192.168.1.1: bytes=32 time<10ms TTL=64 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms H:\>

      Reading the ARP cache can help here, but you must have communicated with a host before its MAC is in the ARP cache:

      H:\>arp -a Interface: 192.168.1.20 on Interface 0x1000003 Internet Address Physical Address Type 192.168.1.1 00-12-17-XX-XX-4e dynamic 192.168.1.10 00-08-54-XX-XX-d8 dynamic 192.168.1.12 00-01-e6-XX-XX-41 dynamic H:\>

      The same trick also works on Linux:

      $ /sbin/arp -v Address HWtype HWaddress Flags Mask + Iface 192.168.1.20 ether 00:1e:90:XX:XX:c3 C + br0 galileo7.xxxxx.xxx ether 00:12:17:XX:XX:4e C + br0 Entries: 2 Skipped: 0 Found: 2 $ /sbin/arp -v -n Address HWtype HWaddress Flags Mask + Iface 192.168.1.20 ether 00:1e:90:XX:XX:c3 C + br0 192.168.1.1 ether 00:12:17:XX:XX:4e C + br0 Entries: 2 Skipped: 0 Found: 2

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

        Note that you can not and will never see google or perlmonks in the ARP listings. All internet traffic goes through galileo7 (192.168.1.1). So, on a MAC level, all my machines just have to know that they have to ask galileo7 to deliver packets to the rest of the world.

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)