I have a machine connected to LAN switch.

How can i get mac address of all other LAN machines.

enabled promiscuous mode then tried following command

tcpdump -i eth1 -vvv -qe

11:31:07.670442 84:2b:2b:0a:78:68 (oui Unknown) > Broadcast, ARP, length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.30.36 tell 192.168.30.32, length 28

It is not showing any ARP reply.How can i find mac address of all machines?

asked 29 Mar '13, 23:09

krrypto's gravatar image

krrypto
6224
accept rate: 0%


I have a machine connected to LAN switch. its active,but i dont know its ip address.Wont tcpdump -i eth1 with out filters show all ARP replys?

no, not necessarily.

The ARP request is directed to the ethernet broadcast address (ff:ff:ff:ff:ff:ff) and thus you will see those requests on a switch port, as the switch will forward those packets to all ports.

The ARP reply is usually directed to the MAC address of the machine who sent the ARP request, so you will not see that response on a switch, as the switch will forward that packet only to the port where that MAC address is known to 'live'. However, there may be TCP/IP implementations, that send the ARP reply to a multicast address. In that case, you will see the reply.

From RFC 5227

   RFC 826 implies that replies to ARP Requests are usually delivered
   using unicast, but it is also acceptable to deliver ARP Replies using
   broadcast.

Regards
Kurt

link

answered 02 Apr '13, 10:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
18.9k733181
accept rate: 15%

Well, if 192.168.30.36 isn't active it won't be able to reply. You could potentially write a little script and subsequently ping all the ip addresses in ypur ip subnet and have a tcpdump running filtered on "arp" protocol - no need for promiscuous mode there as the successful arp replies will be destined to your MAC address.

link

answered 29 Mar '13, 23:28

mrEEde's gravatar image

mrEEde
2.1k51238
accept rate: 20%

edited 29 Mar '13, 23:31

its active,but i dont know its ip address.Wont tcpdump -i eth1 with out filters show all ARP replys?

(29 Mar '13, 23:39) krrypto

Not sure I get the point... You want to learn all MAC addresses in your LAN? You trace your eth1 unfiltered and you will get arp replies for all you arp requests that find an active ip-address on the LAN. For ip addresses that are in your arp cache there won't be arp requests though and therefore you won't find arp replies in your trace.

(30 Mar '13, 03:05) mrEEde
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×78
×47
×24

Asked: 29 Mar '13, 23:09

Seen: 5,033 times

Last updated: 02 Apr '13, 10:19

powered by OSQA