Find IP address via MAC address (RARP)?

nimrod.sixty9

Today I was changing a port on a 2950 to another VLAN. This VLAN is quite locked down, so it came as a surprise that someone is already using that VLAN on that switch. I want to be able to find out who. If I can just get the IP, I can use nslookup and get the DNS, from there I can use AD. I prefer not to use any third party app if at all possible. TIA

undomiel

Ping the broadcast address and do an arp -a, that should get you a list address to comb through.

GT-Rob

If you have a router on that network (the gateway?), it should be in the arp table. Get the mac from the access switch (show mac-add int fa1/0/1), then look for that mac in the arp table (sh arp | inc 0000.1234.1234).

Or put your computer in that vlan if you can and do like above.

demonfurbie

you can use nmap to scan a range of ips.. just scan them all and then you get a list

if its the only person on that vlan you should be able to narrow it down quickly

Devilsbane

undomiel wrote: »

Ping the broadcast address and do an arp -a, that should get you a list address to comb through.

I didn't think you could ping a broadcast.

nimrod.sixty9

I get 'Destination specified in invalid'. Arp table just shows the gateway.

I do not have access to the router so that one is out.

Looks like Ill have to do NMAP

nimrod.sixty9

Devilsbane wrote: »

I didn't think you could ping a broadcast.

Guess thats why I get the above error lol

demonfurbie

you could also use

Ping Range - Free software downloads and software reviews - CNET Downloads

has a nice gui

nmap is mostly command line

ccnxjr

was that IP adddress assigned through DHCP?
If so you maybe able to scan your dhcp leases for a matching IP.
Not sure if this was in a cisco works utility?

can you do
router#sh ip dhcp binding

or search your DHCP leases on your DHCP server?

Forsaken_GA

GT-Rob wrote: »

If you have a router on that network (the gateway?), it should be in the arp table. Get the mac from the access switch (show mac-add int fa1/0/1), then look for that mac in the arp table (sh arp | inc 0000.1234.1234).

Or put your computer in that vlan if you can and do like above.

Rob has the right of it. You should just be able to check the router.

However, I'm curious if there's an issue here at all. Did you actually verify there was a port up in that vlan on the switch? All you said was that the vlan was already active on the switch, not that there was a port active.

If this switch acts as a transit path for that vlan in anyway, then the vlan has to be defined on the switch so traffic can pass on it's trunks. By the same token, if the vlan is active, and there's no actually an live port in that vlan on that switch, you're chasing ghosts.

nimrod.sixty9

Forsaken_GA wrote: »

Rob has the right of it. You should just be able to check the router.

However, I'm curious if there's an issue here at all. Did you actually verify there was a port up in that vlan on the switch? All you said was that the vlan was already active on the switch, not that there was a port active.

If this switch acts as a transit path for that vlan in anyway, then the vlan has to be defined on the switch so traffic can pass on it's trunks. By the same token, if the vlan is active, and there's no actually an live port in that vlan on that switch, you're chasing ghosts.

Yes, I verified that the port is up. Didnt realize my wording was incomplete. VLAN is defined on the switch and the port is live. Set the one up today and its working great.

Again, I do not have access to the router so I cant go that route... I will check out NMAP soon; could also be useful for PCI compliance.

nimrod.sixty9

demonfurbie wrote: »

you could also use

Ping Range - Free software downloads and software reviews - CNET Downloads

has a nice gui

nmap is mostly command line

Thank for the recommendation. NMAP is quite widely used so I think Ill stick to that.

demonfurbie

nimrod.sixty9 wrote: »

Thank for the recommendation. NMAP is quite widely used so I think Ill stick to that.

yea i use nmap but some people like options

undomiel

Devilsbane wrote: »

I didn't think you could ping a broadcast.

You can though you may or may not receive a response depending upon the rules configured for that network.

MentholMoose

If you can't find the IP you can at least get an idea of what the device is from the MAC address by checking the company it's registered to.
http://standards.ieee.org/develop/regauth/oui/oui.txt

Forsaken_GA

nimrod.sixty9 wrote: »

Yes, I verified that the port is up. Didnt realize my wording was incomplete. VLAN is defined on the switch and the port is live. Set the one up today and its working great.

Again, I do not have access to the router so I cant go that route... I will check out NMAP soon; could also be useful for PCI compliance.

Someone has access to the router. Is it really that difficult to get ahold of them, give them the mac address, and then ask them to give you the IP?

For that matter, if you know which physical port it's on, do you not have a wiring map showing where that port physically terminates? Or is there at least a description on the interface that may identify it?

If the answer to all of these questions is no, whoever manages your internal network needs a kick in the ass

CompuTron99

Just do what my manager does... Shut down the port and see who yells.

nimrod.sixty9

undomiel wrote: »

You can though you may or may not receive a response depending upon the rules configured for that network.

Looks like we are configured to not allow this.

MentholMoose wrote: »

If you can't find the IP you can at least get an idea of what the device is from the MAC address by checking the company it's registered to.
http://standards.ieee.org/develop/regauth/oui/oui.txt

Unfortunately we are standardized, so they will all be the same LOL

Forsaken_GA wrote: »

Someone has access to the router. Is it really that difficult to get ahold of them, give them the mac address, and then ask them to give you the IP?

For that matter, if you know which physical port it's on, do you not have a wiring map showing where that port physically terminates? Or is there at least a description on the interface that may identify it?

If the answer to all of these questions is no, whoever manages your internal network needs a kick in the ass

Yes, he is extreamly busy. I was just looking to do this on my own. I have recently made a full visio lay out of all of our property with all jacks and numbers. Still have to add switches but too much of a mess to add on what is actually patched. Maybe Ill work on that part in the future. I manage the internal network, Im still here all by my lonesome. A lot has dropped on me and this is me trying to keep us up and moving forward.

CompuTron99 wrote: »

Just do what my manager does... Shut down the port and see who yells.

Halarious, I could do this if I wasnt so worried about the damned port coming back up. Damned glitchy port security!

nimrod.sixty9

demonfurbie wrote: »

you could also use

Ping Range - Free software downloads and software reviews - CNET Downloads

has a nice gui

nmap is mostly command line

You sir, are full of awesome. I decided to give it a try and I absolutely love it. Found it in seconds. On top of that I now have a nice CSV of all MAC addresses with DNS names, excellent for wake on LAN.

peter_ivanov

This tool scan network and lists IP/MAC addresses and other information for every connected network device: Trogon MAC Scanner

Can save scan results into the txt, csv, xml

chopsticks

I thought it might be a good idea to get approval from your management first before you do mass port scan on your company networks. In some instances, it may be even illegal to do so without first obtaining an approval. Just my two-cent.

nimrod.sixty9

chopsticks wrote: »

I thought it might be a good idea to get approval from your management first before you do mass port scan on your company networks. In some instances, it may be even illegal to do so without first obtaining an approval. Just my two-cent.

Im not doing port scans. Just one single ping. And I am the Management for right now...