I have a machine connected to LAN switch.
How can i get mac address of all other LAN machines.
enabled promiscuous mode then tried following command
tcpdump -i eth1 -vvv -qe
11:31:07.670442 84:2b:2b:0a:78:68 (oui Unknown) > Broadcast, ARP, length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.30.36 tell 192.168.30.32, length 28
It is not showing any ARP reply.How can i find mac address of all machines?
asked 29 Mar, 23:09
no, not necessarily.
The ARP request is directed to the ethernet broadcast address (ff:ff:ff:ff:ff:ff) and thus you will see those requests on a switch port, as the switch will forward those packets to all ports.
The ARP reply is usually directed to the MAC address of the machine who sent the ARP request, so you will not see that response on a switch, as the switch will forward that packet only to the port where that MAC address is known to 'live'. However, there may be TCP/IP implementations, that send the ARP reply to a multicast address. In that case, you will see the reply.
From RFC 5227
RFC 826 implies that replies to ARP Requests are usually delivered using unicast, but it is also acceptable to deliver ARP Replies using broadcast.
answered 02 Apr, 10:19
Kurt Knochner ♦
Well, if 192.168.30.36 isn't active it won't be able to reply. You could potentially write a little script and subsequently ping all the ip addresses in ypur ip subnet and have a tcpdump running filtered on "arp" protocol - no need for promiscuous mode there as the successful arp replies will be destined to your MAC address.