- Resolving MAC Address from IP Address in Linux
- 5 Answers 5
- Example
- fing
- Using ip
- References
- Resolving MAC Address From IP Address in Linux
- 1. Overview
- 2. Difference Between a MAC Address and an IP Address
- 3. Understanding ARP
- 4. Finding a MAC Address of a Given IP
- 4.1. Finding a MAC Address of a Host on the Local Network
- 4.2. Finding a MAC Address of a Remote Host
- 5. Conclusion
Resolving MAC Address from IP Address in Linux
I need to write a bash script wherein I have to create a file which holds the details of IP Addresses of the hosts and their mapping with corresponding MAC Addresses. Is there any possible way with which I can find out the MAC address of any (remote) host when IP address of the host is available?
5 Answers 5
If you just want to find out the MAC address of a given IP address you can use the command arp to look it up, once you’ve pinged the system 1 time.
Example
$ ping skinner -c 1 PING skinner.bubba.net (192.168.1.3) 56(84) bytes of data. 64 bytes from skinner.bubba.net (192.168.1.3): icmp_seq=1 ttl=64 time=3.09 ms --- skinner.bubba.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.097/3.097/3.097/0.000 ms
Now look up in the ARP table:
$ arp -a skinner.bubba.net (192.168.1.3) at 00:19:d1:e8:4c:95 [ether] on wlp3s0
fing
If you want to sweep the entire LAN for MAC addresses you can use the command line tool fing to do so. It’s typically not installed so you’ll have to go download it and install it manually.
Using ip
If you find you don’t have the arp or fing commands available, you could use iproute2’s command ip neigh to see your system’s ARP table instead:
$ ip neigh 192.168.1.61 dev eth0 lladdr b8:27:eb:87:74:11 REACHABLE 192.168.1.70 dev eth0 lladdr 30:b5:c2:3d:6c:37 STALE 192.168.1.95 dev eth0 lladdr f0:18:98:1d:26:e2 REACHABLE 192.168.1.2 dev eth0 lladdr 14:cc:20:d4:56:2a STALE 192.168.1.10 dev eth0 lladdr 00:22:15:91:c1:2d REACHABLE
References
I know this is an old answer, but do you have any insight as to how Fing is implemented? I am trying to learn about this layer of networking and the tools to monitor it.
The ip neigh works most of the times without having to install extra packages. Therefore I think that’s the best answer.
But you can only use this command in LAN, if you want to find out the MAC address of any remote host, maybe you must use some tool to capture the packet like tcpdump and parsing the result.
tcpdump(8) will only show you the local MACs (i.e., the MAC of the last leg router). The MAC layer headers of input packets are stripped out by the router, and new ones added to the outgoing packet.
This is from my question and answer in Ask Ubuntu.
sudo nmap -sP -PE -PA21,23,80,3389 192.168.1.*
nmap : Network exploration tool and security / port scanner. From the manual:
-sP (Skip port scan): This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.
-PE; -PP; -PM (ICMP Ping Types) : In addition to the unusual TCP, UDP and SCTP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts.. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by RFC 1122[2]. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal network, they can be a practical and efficient approach. Use the -PE option to enable this echo request behavior.
-PA port list (TCP ACK Ping) : The TCP ACK ping is quite similar to the just-discussed SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag. Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists. So remote hosts should always respond with a RST packet, disclosing their existence in the process. The -PA option uses the same default port as the SYN probe (80) and can also take a list of destination ports in the same format. If an unprivileged user tries this, the connect workaround discussed previously is used. This workaround is imperfect because connect is actually sending a SYN packet rather than an ACK.
21,23,80,3389 : Ports to search through.
192.168.1.* : Range of IPs. replace with yours.
Resolving MAC Address From IP Address in Linux
The Kubernetes ecosystem is huge and quite complex, so it’s easy to forget about costs when trying out all of the exciting tools.
To avoid overspending on your Kubernetes cluster, definitely have a look at the free K8s cost monitoring tool from the automation platform CAST AI. You can view your costs in real time, allocate them, calculate burn rates for projects, spot anomalies or spikes, and get insightful reports you can share with your team.
Connect your cluster and start monitoring your K8s costs right away:
1. Overview
In this brief tutorial, we’ll look at the difference between a MAC address and an IP address. Furthermore, we’ll learn about the component that acts as a bridge between the MAC and IP addresses. Also, we’ll explore how to extract MAC addresses from hosts in a remote or local network.
2. Difference Between a MAC Address and an IP Address
A Media Access Control address or MAC address is a 12-digit hexadecimal number that identifies a device connected to a network. In other words, it’s a unique identifier for network interface cards (NICs). These addresses can be written in two different formats:
Here, MM in the MAC address represents the Organization Unique Identifier (OUI) and SS is the Universally Administered Address (UAA). The OUI of the address identifies the vendor of the NIC and the UAA is a unique address that the vendor assigns to the device.
MAC addresses never change on their own and are permanent addresses. Although MAC addresses are hard-coded into the NIC, many device drivers allow a user to change the address. This is called MAC spoofing.
We can use the ip utility to view the MAC address of each NIC:
$ ip a ens160: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d8:fa:9a brd ff:ff:ff:ff:ff:ff inet 172.16.186.133/32 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed8:fa9a/64 scope link noprefixroute valid_lft forever preferred_lft forever
We can see the MAC address above next to the word ether. In this case, the MAC address is 00:0c:29:d8:fa:9a .
In contrast, an IP address or Internet Protocol address is a unique number that identifies a computer in a network. IP addresses allow devices to connect to each other and transfer data.
IPv4 addresses have the format X.X.X.X, where X is any number between 0 and 255. Similarly, we can use the ip command to view the IPv4 and IPv6 addresses of a device. In our example from earlier, the IPv4 address is 172.16.186.133 and the IPv6 address is fe80::20c:29ff:fed8:fa9a .
3. Understanding ARP
The Address Resolution Protocol (ARP) is a protocol that acts as a bridge between layer 2 and layer 3 components of the OSI model. This means that it can map MAC addresses to IP addresses in a local area network (LAN) and vice versa.
It’s important to note that ARP only works with IPv4 addresses. In contrast, IPv6 addresses make use of a similar protocol known as the Neighbor Discovery Protocol (NDP).
For example, when a computer joins a network it has a unique IP address so that it can communicate with other hosts in the network. When a computer wants to communicate with another computer in the network, it packages the request into an IP datagram or IP packet. For the sender to know which computer to forward this packet to, it needs to have the destination IP and the destination MAC address. In most cases, the sender doesn’t know what the destination MAC address is. The sender needs to transmit an ARP broadcast which all hosts in the LAN will receive.
The ARP request includes the sender’s IP, the sender’s MAC address and the target’s IP address. Additionally, it contains a field for the target’s MAC address which, at that point, remains unknown. All devices have an ARP cache or ARP table. As a result, they use this cache to temporarily store the IP and MAC addresses of the hosts they communicate with.
Also, it’s important to note that the arp tool is part of the net-tools package which is outdated. Although the arp command still works, we’ll use the ip neighbour command in this tutorial.
4. Finding a MAC Address of a Given IP
The way to retrieve a MAC address from a device in the local network differs when trying to retrieve the address from an external network. Let’s explore the different ways that we can go about this.
4.1. Finding a MAC Address of a Host on the Local Network
First, we need to ping the given IP address. This establishes a connection with the device of the given IP address. When we ping the IP address, an ARP request is sent at the same time. When our device receives an ARP reply from 172.15.187.129, it updates the ARP cache with the given IP address and the MAC address obtained from the ARP reply.
We need a way to view the ARP cache so that we can see the MAC address. That’s where the ip neighbour command comes in. Now, we run the ip neighbour command to see the corresponding MAC address for the IP we’ve just pinged:
$ ping -c 1 172.16.187.129 PING 172.16.187.129 (172.16.187.129) 56(84) bytes of data. 64 bytes from 172.16.187.129: icmp_seq=1 ttl=64 time=2.17 ms --- 172.16.187.129 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.172/2.172/2.172/0.000 ms $ ip neighbour 172.16.187.2 dev ens160 lladdr 00:50:56:f3:ce:92 STALE 172.16.187.129 dev ens160 lladdr 00:0c:29:02:d4:5a REACHABLE
At this point, we observe two IP addresses after running the arp-equivalent ip neighbour command. The first IP is the gateway node and we can verify this by running ip route:
$ ip route default via 172.16.187.2 dev ens160 proto static metric 100
The second IP address is of a host in our LAN that we’ve previously pinged.
The ip neighbour command can only retrieve MAC addresses of computers in our local network.
4.2. Finding a MAC Address of a Remote Host
Since a MAC address is a component of the data link layer or layer 2 of the OSI model, an IP packet will remove it when it travels to a different network segment. It’s for this reason that ARP doesn’t work across routers and works only in a local area network.
There are different ways of retrieving the MAC address of a host in a remote network, but these options aren’t necessarily reliable. For instance, the router that forwards IP packets from the source to the destination server does see the MAC address of a remote server. Having SNMP access to the router would allow us to view this information. The router may need additional configurations for us to do this.
Secondly, a remote host may include the MAC address in its layer 3 traffic but this information can be false. Without a doubt, MAC addresses can be forged and that’s why they aren’t helpful when trying to authenticate hosts. Instead, we make use of server certificates.
5. Conclusion
In this article, we learned about mapping IP addresses to MAC addresses. We began with the basics such as differentiating the two concepts. Then we focused on the bridge between these two concepts which we know as ARP. After that, we delved into the methods used to retrieve MAC addresses.