http://www.perlmonks.org?node_id=91820


in reply to MAC Address and NIC Device on Network.

One groovy trick to get everyone to arp to ya is to ping the broadcast address. Many boxen will respond to one of these. Oh and a much better listing of Ethernet vender codes can be appropirated from....

http://www.cavebear.com/CaveBear/Ethernet/vendor.html
  • Comment on Re: MAC Address and NIC Device on Network.

Replies are listed 'Best First'.
Re: Re: MAC Address and NIC Device on Network.
by jepri (Parson) on Jun 27, 2001 at 09:50 UTC
    All boxen that implement the TCP/IP protocol must respond. Even windows machines manage it.

    You can catch the return packets with Net::Packet (Update: It's NetPacket, not Net::Packet, available from CPAN, runs under windows with the pcap library), if you have root access. I have a little proggie that does this if you are interested. Actually it sits there and silently matches ethernet addresses to IPs, and identifies gateways and routers from that data.

    For extra humour during a boring afternoon, ping flood the broadcast address and watch the network admin go into spasms.

    ____________________
    Jeremy
    I didn't believe in evil until I dated it.

[reply]

      Or just parse `arp -a`.

      Update: The original question seems clearly to be about Windows, which does come with "arp" (I think Win2K was mentioned in the chatterbox). Your mention of "root access" makes me wonder whether Net::Packet will work on Win2K, but I don't find it on CPAN so I didn't go any further trying to check that out.

      I didn't say the method that I mentioned was the only way, of course.

      Update2: Thanks for the clarifications, jepri. I can still roll code to parse `arp -a` faster than I can download NetPacket and pcap much less install them and get them working (heck, nearly faster than I can find NetPacket given how slow http://search.cpan.org/ is these days). So if all I'm interested in the MAC addresses, I'll stick with arp output unless I've already gotten NetPacket working for other reasons.

      But I didn't reply to criticize your suggestion. I just waited a while and noted that no one else had mentioned "arp -a" yet so I thought it should be part of the thread. So I decided to post it in reply a node that mentioned something acurate and your fact about all TCP/IP stacks having to support ARP won. (:

              - tye (but my friends call me "Tye")
[reply]
[d/l]
[select]
        Works if you have arp. Why go outside Perl when there's a nice module that does what you want? The interface is nicer too.

        Finally arp will only return the IP number of the interface, whereas you can get so much more information with a little bit of sniffing.

        ____________________
        Jeremy
        I didn't believe in evil until I dated it.

[reply]
[d/l]
Re: Re: MAC Address and NIC Device on Network.
by fs (Monk) on Jun 27, 2001 at 17:37 UTC
    That's something to be careful with - anyone who pulled a stunt like that on my network would get the plug pulled on their connection in a heartbeat, and not just because it happens to be the first step of several DoS attacks. It's also not the most reliable method:
    • A machine's arp cache is only of finite size, so you can only capture so many addresses
    • Since every machine will be answering all at once, there's a very good chance that some of the replies will just get dropped
    • Any machines that are behind a router, will simply appear with the routers mac address if the router even passes the packet at all.
    The approach of running a prog on each station that reports back the mac to a central server is probably the most reliable and network-friendly way to go.
[reply]

In Section Seekers of Perl Wisdom