I have a machine connected to LAN switch. How can i get mac address of all other LAN machines. enabled promiscuous mode then tried following command tcpdump -i eth1 -vvv -qe 11:31:07.670442 84:2b:2b:0a:78:68 (oui Unknown) > Broadcast, ARP, length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.30.36 tell 192.168.30.32, length 28 It is not showing any ARP reply.How can i find mac address of all machines? asked 29 Mar '13, 23:09  krrypto |
2 Answers:
no, not necessarily. The ARP request is directed to the ethernet broadcast address (ff:ff:ff:ff:ff:ff) and thus you will see those requests on a switch port, as the switch will forward those packets to all ports. The ARP reply is usually directed to the MAC address of the machine who sent the ARP request, so you will not see that response on a switch, as the switch will forward that packet only to the port where that MAC address is known to 'live'. However, there may be TCP/IP implementations, that send the ARP reply to a multicast address. In that case, you will see the reply. From RFC 5227 Regards answered 02 Apr '13, 10:19  Kurt Knochner ♦ |
Well, if 192.168.30.36 isn't active it won't be able to reply. You could potentially write a little script and subsequently ping all the ip addresses in ypur ip subnet and have a tcpdump running filtered on "arp" protocol - no need for promiscuous mode there as the successful arp replies will be destined to your MAC address. answered 29 Mar '13, 23:28  mrEEde edited 29 Mar '13, 23:31 |
its active,but i dont know its ip address.Wont tcpdump -i eth1 with out filters show all ARP replys?
Not sure I get the point... You want to learn all MAC addresses in your LAN? You trace your eth1 unfiltered and you will get arp replies for all you arp requests that find an active ip-address on the LAN. For ip addresses that are in your arp cache there won't be arp requests though and therefore you won't find arp replies in your trace.