Ask Your Question
0

detect all IPs/MACs on network?

asked 2023-12-21 02:58:15 +0000

ffakr gravatar image

This seems straightforward, but I"m having trouble finding an answer.

I'm trying to map a private network behind a NAT. Someone in the Lab setup a NAT router that everything is behind, but that person is long gone and they don't have login credentials for the router anymore. I'm trying to map the network (PCs/Macs and ethernet-connected Research apparatus). If it was just PCs.. I'd go computer to computer and pull the MACs.. it's the network'ed lab equipment that's harder to inventory.

I've got at least a partial inventory of devices by IP. I'm looking to find MACs for these devices so we can setup DHCP reservations on a new router.. since I can't log into the existing one to see what they did.

I plugged in, started a packet capture, and nmap'ed some IPs to generate traffic. What I'm looking to do is generate a report... or filter.. that will show me IPs w/ corresponding MACs.

I've found a few so far by just searching through the whole log for IPs (sender).. opening the packet capture and searching for the source MAC.. but that's proving tedious.
Is there any way to display all IPs with corresponding MACs from the Capture?

Thanks, Steven.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-12-21 11:51:31 +0000

Bob Jones gravatar image

updated 2023-12-21 11:57:52 +0000

I am not sure Wireshark is the best tool for this. Some options:

  1. Specific tool for this, like lansweeper and probably many others. AngryIP scanner maybe?
  2. On the host running nmap, investigate the ARP cache as that will map IPs to MAC addresses.

  3. tshark output of src IP with src MAC, filtered on a Linux system:

    tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | colum -t

You will only be able to reliably map MAC to IP on the local network in most cases.

Example:

wsuser@wssys:~/tmp$ tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | column -t
10.1.10.1     01:05:ca:08:0f:1c
10.1.10.50    02:cd:e6:65:aa:c2
10.1.10.58    03:90:0b:de:10:e5
10.1.10.6     04:b7:1f:5c:f1:a8
edit flag offensive delete link more

Comments

Good point. This was partially a case of everything looks like a nail when all you've got is a hammer. WireShark was on my laptop already and I figured.. 'sure, it's Possible to do discovery by just sorting through a big packet dump'. I'm familiar with LANSweeper, not that I use it regularly.. I'll check out AngryIP too.

The tshark command did do exactly what I was looking for though. Thank you.

ffakr gravatar imageffakr ( 2023-12-21 17:14:29 +0000 )edit

BTW.. just to be helpful.. the command line option you provided worked perfectly on MacOS too... so BSD. :-). Thanks again, I really appreciated your help.

ffakr gravatar imageffakr ( 2023-12-22 19:55:55 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-12-21 02:58:15 +0000

Seen: 187 times

Last updated: Dec 21 '23

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2