#26709 - 2002-08-08 01:21 PM
Find IP / netbios name from a MAC address?
|
Peter Fry
Getting the hang of it
Registered: 2001-07-23
Posts: 95
Loc: Bristol UK
|
is it possible to find a ip address or netbios name from a MAC address on an network with NT and 2K boxes?
basically we have some network switches that report the mac address of the machines that are connected to each port and i want to find out which machines they are with out following the lead.
Regards
Pete
|
Top
|
|
|
|
#26710 - 2002-08-08 02:04 PM
Re: Find IP / netbios name from a MAC address?
|
Breaker
Hey THIS is FUN
Registered: 2001-06-15
Posts: 268
Loc: Yorkshire, England
|
Sadly, Windows NT/2000 doesn't have its own implementation of RARP, which you would use to do this MAC to IP resolution. This is a quote from The Mole, taken from TechNet: quote: TCP/IP uses the Address Resolution Protocol (ARP) and the Reverse Address Resolution Protocol (RARP) to initialize the use of Internet addressing on an Ethernet or other network that uses its own media access control (MAC). ARP allows a host to communicate with other hosts when only the Internet address of its neighbors is known. Before using IP, the host sends a broadcast ARP request containing the Internet address of the desired destination system. Within the ARP/RARP header structure is the sender’s hardware address (i.e. the MAC address of the network interface card) and the sender’s IP address. That’s the thing that you want, Eric – the protocol address. Anyone who is running Windows NT can issue an ‘ARP’ command from the command prompt. For example, executing ‘arp –a’ will display the ARP cache on that computer. Here’s an example (addresses changed to protect . . . blah blah blah . . . ) Interface: 159.33.187.112 on Interface 2 Internet Address Physical Address Type 159.33.185.1 00-e0-24-ce-77-68 dynamic 159.33.188.140 00-70-c7-52-69-d6 dynamic Note that there’s a corresponding column for the Physical Address (i.e. the MAC address) – yes – the Internet – or IP – address! THAT’s what you want, Eric. Sounds simple enough, but Mole is afraid there’s no such utility similar to ARP that he can point you to that can be ran from the command line and does a reverse ARP lookup, even though it’s right there in the protocol stack. Mole is at a loss to explain why there isn’t one, to be honest. Mole has dug high and low, and even though this question has been around for many years (see RFC 903), the best that Mole can do for you is offer some approaches that you can take, and here they are in order of preference: 1. Using a network sniffer/analyzer, sniff the wire by filtering on the MAC address, ARP, and RARP. Observe the associated IP address. 2. Instead of scrounging around to find out the IP address associated with a known MAC address, why not circumvent that whole thing by assigning an IP address to that MAC via DHCPCMD, and then you'd have everything you need. You can get the NetBIOS name by pinging that IP address. The big assumption here is that the customer is using DHCP, of course. The following is an example that reserves IP address 11.101.13.53 in the 11.101.0.0 scope to a client with a hardware address of 08002B30369B: dhcpcmd AddReservedIP 11.101.0.0 11.101.13.53 08002B30369B Then, just issue a ping: ping -a 11.101.13.53 to get the NetBIOS name. The one obvious drawback to this would be that you’d have to reboot that machine before the assigned IP address would take effect. 3. Identify the subnet that this offending NIC/computer is on. Write a batch file that pings every machine on the subnet. Look at the ARP cache. Mole doesn’t really recommend this approach, as it is pretty lame. But it could be one way to do it. That’s it from the Mole. No need to over-engineer a solution: Just sniff the wire, get the IP address, and you’re done.
So there you have it - assigning the IP might be a way to go, but it sounds long winded if you have a lot of addresses you want to trace!
If I can think of another way/come up with something else I'll post it here, but I fear your search may be fruitless.
-Breaker
_________________________
================================================ Breaker
|
Top
|
|
|
|
#26715 - 2002-08-09 03:38 AM
Re: Find IP / netbios name from a MAC address?
|
BoxKite
Da Box
Registered: 2000-05-17
Posts: 282
Loc: Vacaville,CA,USA
|
Sealeopard has the right idea, but I don’t think of it as cheating. My solution is a little more elaborate, and more costly. Each computer will create a 1k file. One thousand files, one thousand entries in the FAT or DNFS. But, it does give me what I want.
1. Create a shared location (add a $ to hide the share name) on your domain. Give domain members write permission in the share$ and physical location.
Put this code in your log on script:
code:
shell "%comspec% /c echo @wksta,@address,@ipaddress0 > \\servername\sharename$\_@wksta"
2. Use this code when you want to create a text file (A.K.A. Sealeopard).
code:
del "c:\wsinfo.txt" ? ? "Working . . . . . . ." $x = dir("\\servername\sharename$\_*") open(1,"c:\wsinfo.txt",5) writeline(1,"WS,MAC,IP" + @crlf) close(1) while $x <> "" and @error = 0 shell "%comspec% /c type $x >> c:\wsinfo.txt" $x = dir() loop exit
3. You now have a text delimited file that you can import into EXCEL or ACESS.
Luck
_________________________
Box FACTA NON VERBA
|
Top
|
|
|
|
#26717 - 2002-08-09 11:35 AM
Re: Find IP / netbios name from a MAC address?
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11623
Loc: CA
|
But did he bring his Kite with him?
Welcome back
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 507 anonymous users online.
|
|
|