RE: mac to ip address tools

From: Dario Ciccarone (dciccaro) (dciccaro_at_cisco.com)
Date: 10/26/05

  • Next message: arif.jatmoko_at_sea.ccamatil.com: "Re: mac to ip address tools"
    Date: Tue, 25 Oct 2005 23:58:57 -0400
    To: "kukulkan" <ismandya@sains.com.my>, "Chris Moody" <chris@siliconhotrod.com>
    
    

    You didn't really frame your question - but let's give it a shot.

    You received a bunch of answers about how to find out MAC<->IP pairings
    in your broadcast domain (I assume you're interested in learning
    MAC-to-IP pairings on the same L2 your machine is located). Some
    suggested arping, some arpwatch, etc. The easiest way? Sniff.

    Say host A on your net is trying to communicate with host B. Host A
    needs to know the MAC address for host B (or the MAC address for the
    default gateway, if B not located on the same L2/L3 network). So he will
    send out an ARP request. ARP replies are no good for you - those are
    unicast to the host asking. But hey, a host ARPing for a other host
    sends a broadcast - including *his* IP address. And the MAC is obviously
    his MAC. And you do get broadcast. So, listen to ARP requests, and
    sooner or later (when a host tries to communicate with other and doesn't
    know his MAC, or when its refreshing its ARP cache), you will learn all
    MAC-to-IP pairs. Even if the host never tries to contact hosts on his
    same L2/L3 network, it has to ARP for the default gw MAC. This is the
    answer to your original question.

    About 100 machines using the same MAC address: two possibilities, out of
    the top of my mind. Either the MAC belongs to a router on the same L2
    network, which is doing proxy-arp for those machines (machines that
    aren't really located on your L2 network), or those machines are, again,
    in another network, and the host answering ARP requests for them is a
    firewall - which would then filter/NAT/rate-limit/do whatever he has to
    do with the packet before forwarding it to the real host.

    Other things to keep in mind: pairing between MAC/IP can change - while
    both HSRP and VRRP use a virtual MAC address, shared between all routers
    on the same HSRP/VRRP group (and hence, no changes on the MAC address if
    one of them takes over a failed one), GLBP (AFAIR) can reply to
    different ARP requests with different MAC addresses. Also check for MS
    MNLB. CheckPoint firewalls used to use multicast MAC addresses for
    firewalls in a cluster configuration.

    Good luck
    Dario

    > -----Original Message-----
    > From: kukulkan [mailto:ismandya@sains.com.my]
    > Sent: Tuesday, October 25, 2005 8:45 PM
    > To: Chris Moody
    > Cc: Glyn Geoghegan; pen-test@securityfocus.com
    > Subject: Re: mac to ip address tools
    >
    > yeah. There are about 500-600 machines in this place, I say
    > this because
    > these are the registered machines. What about those not registered?
    > there is one thing that bother them is that when we tried to
    > use arp it
    > seems that they are about 100 machines with the same mac address.
    > Wonder could this be the the machines here have been poisoned?
    >
    > Chris Moody wrote:
    >
    > > The biggest problem with your question lies in topology
    > restrictions.
    > >
    > > Unless you have a host system in the broadcast domain (aka
    > subnet) of
    > > the host ip in question, all your arp responses will be that of the
    > > gateway enroute to the end host.
    > >
    > > You'll get -very- skewed results if you're trying to map say...1000
    > > machines (most of which live on different subnets) and see
    > nothing but
    > > the MAC of your router as the resolved address.
    > >
    > > For something enterprise wide, you will need to look at scripting a
    > > arp cache harvesting mechanism. This can report back the
    > REAL mac to
    > > ip mapping for the host system.
    > >
    > > Contact me offline for more information on how to accomplish this.
    > >
    > > -Chris
    > >
    > > Glyn Geoghegan wrote:
    > >
    > >> arp -a
    > >>
    > >> -- G l y n G e o g h e g a n
    > >>
    > >>
    > >> On 25 Oct 2005, at 10:48, kukulkan wrote:
    > >>
    > >>> Hi list,
    > >>>
    > >>> Need help. Is there any open source tools linux or windows, that
    > >>> when given a MAC address, the list(s) of IP address can
    > be obtained?
    > >>>
    > >>> kukulkan
    > >>>
    > >>>
    > >>>
    > --------------------------------------------------------------
    > --------
    > >>> --------
    > >>> Audit your website security with Acunetix Web
    > Vulnerability Scanner:
    > >>> Hackers are concentrating their efforts on attacking
    > applications
    > >>> on your website. Up to 75% of cyber attacks are launched on
    > >>> shopping carts, forms, login pages, dynamic content etc.
    > Firewalls,
    > >>> SSL and locked-down servers are futile against web application
    > >>> hacking. Check your website for vulnerabilities to SQL
    > injection,
    > >>> Cross site scripting and other web attacks before hackers do!
    > >>> Download Trial at:
    > >>>
    > >>> http://www.securityfocus.com/sponsor/pen-test_050831
    > >>>
    > --------------------------------------------------------------
    > --------
    > >>> ---------
    > >>>
    > >>>
    > >>
    > >>
    > >>
    > --------------------------------------------------------------
    > ----------------
    > >>
    > >> Audit your website security with Acunetix Web
    > Vulnerability Scanner:
    > >> Hackers are concentrating their efforts on attacking
    > applications on
    > >> your website. Up to 75% of cyber attacks are launched on shopping
    > >> carts, forms, login pages, dynamic content etc. Firewalls, SSL and
    > >> locked-down servers are futile against web application
    > hacking. Check
    > >> your website for vulnerabilities to SQL injection, Cross site
    > >> scripting and other web attacks before hackers do!
    > Download Trial at:
    > >>
    > >> http://www.securityfocus.com/sponsor/pen-test_050831
    > >>
    > --------------------------------------------------------------
    > -----------------
    > >>
    > >>
    > >>
    > >
    >
    >
    > --------------------------------------------------------------
    > ----------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking
    > applications on your
    > website. Up to 75% of cyber attacks are launched on shopping
    > carts, forms,
    > login pages, dynamic content etc. Firewalls, SSL and
    > locked-down servers are
    > futile against web application hacking. Check your website
    > for vulnerabilities
    > to SQL injection, Cross site scripting and other web attacks
    > before hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > --------------------------------------------------------------
    > -----------------
    >

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------


  • Next message: arif.jatmoko_at_sea.ccamatil.com: "Re: mac to ip address tools"

    Relevant Pages

    • Re: All I have is the MAC address which are on our LAN so no routers are involved.
      ... echo Clearing ARP Cache ... an IP on MAC How to use TCP/IP without installing a NIC. ... How to Setup Windows, Network, VPN & Remote Access on = ... Anyway now I have the list of machines with MAC and IP, ...
      (microsoft.public.windowsxp.network_web)
    • Re: Re: All I have is the MAC address which are on our LAN so no routers are involved.
      ... addresses and then check the arp cache with "arp -a". ... an IP on MAC How to use TCP/IP without installing a NIC. ... How to Setup Windows, Network, VPN & Remote Access on = ... Anyway now I have the list of machines with MAC and IP, ...
      (microsoft.public.windowsxp.network_web)
    • Re: Translate MAC address to IP address
      ... >> every packet and counts traffic volume by source and destination MAC. ... with a bunch of gateway machines on it. ... results from the local ARP table. ...
      (freebsd-net)
    • Re: mac to ip address tools
      ... >Say host A on your net is trying to communicate with host B. Host A ... >needs to know the MAC address for host B (or the MAC address for the ... >About 100 machines using the same MAC address: ... and the host answering ARP requests for them is a ...
      (Pen-Test)
    • Re: Separate IP address for VPC and MAC
      ... > to the MAC from which they came, but that there's no provision for such ... Basic ARP on Ethernet goes like this: ... Host 1 sends out an ARP request asking for the MAC address associated ... The scope of the broadcast domain is the IP subnet. ...
      (microsoft.public.mac.virtualpc)