I have mac table list of router, now I am trying to get a Ip address for each mac address in mac table list. So i tried to use ARP, unfortunately ARP is missing some of the mac addresses mapping which are listed under mac table. How to get all mac-IP address mappings. Is there any way to get these mappings? Will it be possible by updating ARP table, if so how to update it?
Asked
Active
Viewed 2,735 times
3
-
What model and manufacturer of router? Are you going to use snmp? – Mike Pennington Apr 25 '14 at 11:10
-
Its a cisco router model is 3640. Yes i am trying through SNMP. – user3571448 Apr 25 '14 at 11:30
-
Please review the last part of this question and let me know if you still need help – Mike Pennington Apr 25 '14 at 11:36
-
@user3571448 Why do you think there will necessarily be an IP address/ARP Table entry associated with every MAC in the MAC Address Table? – Brett Lykins Apr 25 '14 at 13:05
-
4FYI, when I pull ARP tables from production routers, I ping scan the entire subnet before polling the router with SNMP. – Mike Pennington Apr 25 '14 at 13:21
-
Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. – Ron Maupin Aug 08 '17 at 18:12
2 Answers
2
Use a tool like NMAP with the -sP option (ping scan) against all subnets configured on interfaces:
nmap -sP [subnet IP]/[bitmask]
[repeat as needed for all connected subnets on router]
Then collect your SNMP information prior to the ARP timeout. If you still have MAC addresses in your CAM table that you can't correlate to an IP, they don't have one configured.
Ryan Foley
- 5,509
- 4
- 24
- 43
nicotine
- 1,170
- 9
- 13
2
There isn't any good way to do this other than a crude nmap ping sweep of the entire subnet. You'll at least be able to resolve all of the addresses on the subnet to usable hardware addresses.
Below is the commonly used verbiage.
nmap -sn -n 10.0.0.0/24
-sn (No port scan) .
This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a "ping scan", but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.
Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
Ryan Foley
- 5,509
- 4
- 24
- 43