Page 1 of 1 1
Topic Options
#26709 - 2002-08-08 01:21 PM Find IP / netbios name from a MAC address?
Peter Fry Offline
Getting the hang of it

Registered: 2001-07-23
Posts: 95
Loc: Bristol UK
is it possible to find a ip address or netbios name from a MAC address on an network with NT and 2K boxes?

basically we have some network switches that report the mac address of the machines that are connected to each port and i want to find out which machines they are with out following the lead. [Smile]

Regards

Pete

Top
#26710 - 2002-08-08 02:04 PM Re: Find IP / netbios name from a MAC address?
Breaker Offline
Hey THIS is FUN
*****

Registered: 2001-06-15
Posts: 268
Loc: Yorkshire, England
Sadly, Windows NT/2000 doesn't have its own implementation of RARP, which you would use to do this MAC to IP resolution. This is a quote from The Mole, taken from TechNet:
quote:
TCP/IP uses the Address Resolution Protocol (ARP) and the Reverse Address Resolution Protocol (RARP) to initialize the use of Internet addressing on an Ethernet or other network that uses its own media access control (MAC). ARP allows a host to communicate with other hosts when only the Internet address of its neighbors is known. Before using IP, the host sends a broadcast ARP request containing the Internet address of the desired destination system.
Within the ARP/RARP header structure is the sender’s hardware address (i.e. the MAC address of the network interface card) and the sender’s IP address. That’s the thing that you want, Eric – the protocol address.
Anyone who is running Windows NT can issue an ‘ARP’ command from the command prompt. For example, executing ‘arp –a’ will display the ARP cache on that computer. Here’s an example (addresses changed to protect . . . blah blah blah . . . )
Interface: 159.33.187.112 on Interface 2
Internet Address Physical Address Type
159.33.185.1 00-e0-24-ce-77-68 dynamic
159.33.188.140 00-70-c7-52-69-d6 dynamic
Note that there’s a corresponding column for the Physical Address (i.e. the MAC address) – yes – the Internet – or IP – address! THAT’s what you want, Eric. Sounds simple enough, but Mole is afraid there’s no such utility similar to ARP that he can point you to that can be ran from the command line and does a reverse ARP lookup, even though it’s right there in the protocol stack. Mole is at a loss to explain why there isn’t one, to be honest.
Mole has dug high and low, and even though this question has been around for many years (see RFC 903), the best that Mole can do for you is offer some approaches that you can take, and here they are in order of preference:
1. Using a network sniffer/analyzer, sniff the wire by filtering on the MAC address, ARP, and RARP. Observe the associated IP address.
2. Instead of scrounging around to find out the IP address associated with a known MAC address, why not circumvent that whole thing by assigning an IP address to that MAC via DHCPCMD, and then you'd have everything you need. You can get the NetBIOS name by pinging that IP address. The big assumption here is that the customer is using DHCP, of course.
The following is an example that reserves IP address 11.101.13.53 in the 11.101.0.0 scope to a client with a hardware address of 08002B30369B:
dhcpcmd AddReservedIP 11.101.0.0 11.101.13.53 08002B30369B
Then, just issue a ping:
ping -a 11.101.13.53
to get the NetBIOS name. The one obvious drawback to this would be that you’d have to reboot that machine before the assigned IP address would take effect.
3. Identify the subnet that this offending NIC/computer is on. Write a batch file that pings every machine on the subnet. Look at the ARP cache. Mole doesn’t really recommend this approach, as it is pretty lame. But it could be one way to do it.
That’s it from the Mole. No need to over-engineer a solution: Just sniff the wire, get the IP address, and you’re done.

So there you have it - assigning the IP might be a way to go, but it sounds long winded if you have a lot of addresses you want to trace!

If I can think of another way/come up with something else I'll post it here, but I fear your search may be fruitless.

-Breaker
_________________________
================================================
Breaker


Top
#26711 - 2002-08-08 02:51 PM Re: Find IP / netbios name from a MAC address?
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Pete,
If you use DHCP, then you could export your leases and reservations with the RK util DHCPCMD.EXE.

Another possibility is to use SNMP to query the ARP table of your switch or router.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#26712 - 2002-08-08 03:13 PM Re: Find IP / netbios name from a MAC address?
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
I actually have a solution for this, although it's definitely not the most elegant one. I am keeping a list of IP addresses and their associated MAC addresses in an .INI file with each computer updating it's information upon each login. The basic structure of an .INI file for your problem could be like this:
code:
[10.10.0.2]
ComputerName=workstation
FQDN=workstation.company.com
MAC=00112233445566

I kind-of see this look-up table as cheating [Wink]
_________________________
There are two types of vessels, submarines and targets.

Top
#26713 - 2002-08-08 03:16 PM Re: Find IP / netbios name from a MAC address?
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Good point.. but for this purpose, I'd index on MAC instead of IP. I'd still use DHCPCMD to pull the data and build the INI.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#26714 - 2002-08-08 11:24 PM Re: Find IP / netbios name from a MAC address?
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
I tried searching wins database...
could not find a switc to search against mac but if you output the whole wins database, even the addresses not included in dhcp would get checked...

anyway, I've used this same stuff with dhcpcmd and think it's the easiest and fastest way of doing the stuff.

for the address not included in dhcp, you need to do more...

{edit}
TO-DO

[ 09. August 2002, 03:07: Message edited by: Lonkero ]
_________________________
!

download KiXnet

Top
#26715 - 2002-08-09 03:38 AM Re: Find IP / netbios name from a MAC address?
BoxKite Offline
Da Box
*****

Registered: 2000-05-17
Posts: 282
Loc: Vacaville,CA,USA
Sealeopard has the right idea, but I don’t think of it as cheating. My solution is a little more elaborate, and more costly. Each computer will create a 1k file. One thousand files, one thousand entries in the FAT or DNFS. But, it does give me what I want.

1. Create a shared location (add a $ to hide the share name) on your domain. Give domain members write permission in the share$ and physical location.

Put this code in your log on script:

code:
shell "%comspec% /c echo @wksta,@address,@ipaddress0 > \\servername\sharename$\_@wksta"

2. Use this code when you want to create a text file (A.K.A. Sealeopard).

code:
del "c:\wsinfo.txt"
? ? "Working . . . . . . ."
$x = dir("\\servername\sharename$\_*")
open(1,"c:\wsinfo.txt",5)
writeline(1,"WS,MAC,IP" + @crlf)
close(1)
while $x <> "" and @error = 0
shell "%comspec% /c type $x >> c:\wsinfo.txt"
$x = dir()
loop
exit

3. You now have a text delimited file that you can import into EXCEL or ACESS.

Luck [Smile]
_________________________
Box
FACTA NON VERBA

Top
#26716 - 2002-08-09 03:49 AM Re: Find IP / netbios name from a MAC address?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
BOX !!!

THE BOX IS BACK !!!

Top
#26717 - 2002-08-09 11:35 AM Re: Find IP / netbios name from a MAC address?
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
But did he bring his Kite with him? [Smile]

Welcome back

Top
#26718 - 2002-08-09 11:43 AM Re: Find IP / netbios name from a MAC address?
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
HEy Boxkite !

Nice to see you're alive !!!
Where have you been ?

Jochen
_________________________



Top
#26719 - 2002-08-09 06:07 PM Re: Find IP / netbios name from a MAC address?
BoxKite Offline
Da Box
*****

Registered: 2000-05-17
Posts: 282
Loc: Vacaville,CA,USA
I was in the Twilight Zone for a while. Good to be back and see all the neat things going on with the site.

Also makes me feel good to see you guys carrying the flag and giving good advise to the newbies.

Speaking of Kixtart. I once saw a picture on the cover of Time magazine. It showed a child baseball player swinging a bat, and as the bat swing around the player morphed into an adult baseball player. The intent was to show how the New York METS baseball team had grownup to a Major League Baseball team to win the Baseball World Series. So it is with Kixtart. The new features in Kixtart make it a Major League Player. Hats off to you all.

Now, “Play Ball” [Smile]
_________________________
Box
FACTA NON VERBA

Top
#26720 - 2002-08-09 06:44 PM Re: Find IP / netbios name from a MAC address?
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Such a touching story... brings a tear to my eye. I can hear the national anthem... All rise...

nice sentiments
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#26721 - 2002-08-09 07:05 PM Re: Find IP / netbios name from a MAC address?
BoxKite Offline
Da Box
*****

Registered: 2000-05-17
Posts: 282
Loc: Vacaville,CA,USA
HUMMMmmmm
HUMMMmmmm

All hail “Kixtart”
All hail “Kixtart”
Thy code is my need
With Select and endif
To shining Exit
I will defend your integrity…….
To those who say SMS is the best…..
I say Phtttttt…. To them………. You see
With Kixtart and ham-a-lot I’m the best, yes the best,
That ----- can --------- be………..
[Razz]
_________________________
Box
FACTA NON VERBA

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 259 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.063 seconds in which 0.023 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org