cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
4541
Views
0
Helpful
3
Replies

Resolving an IP address from a MAC address

steveseaman
Level 1
Level 1

I have suffered many dubious web pages on how to do this but here goes.

I need to resolve an IP address from a mac address given. I have a suspect rougue wireless device indicated to me by netstumber but it only gives the MAC address of the peer.

If i could resolve this to an IP address then i could resolve the machine name and find the culprit.

I may just be chasing shoadows here but for the sake of my peace of mind and sanity I would like to check the rouge device down.

Any help would be appreciated

3 Replies 3

Kevin Dorrell
Level 10
Level 10

One effective way is to go to your router, and "show arp | include ". Unfortunately this only works if the rogue device is actually addressing the router. Make sure you get the format of the MAC address right, consistent with the normal output of "show arp". That assumes that he has an IP address of course. If he got his IP address from a DHCP server, the DHCP server will tell you.

Another way is to trace the MAC address through your switches. Start at the core switch, and do a "show cam " (for CatOS, or equivalent for IOS), and follow the port. Re-iterate, until you come to the access port. Trace the patch in the wiring closet, then go and clobber the user attached to that socket.

Kevin Dorrell

Luxembourg.

scottosan
Level 1
Level 1

I feel your pain. With netstumbler, you will be seeing the the radio side mac address, not the ethernet side mac address. THis makes it hard because the sh arp will only give the ether side mac. The only thing I can tell you is to walk around until the signal is strongest. Below is a list of vendor mac prefixes that may help you narrow down what brand ap you are looking for.

3Com 0001.03|0004.76|0050.da|0800.02

Addtron 0040.33|0090.d1

Advanced Multimedia Internet 0050.18

Apple 0030.65

Atmel 0004.25

Bay Networks 0020.d8

BreezeNet 0010.e7

Cabletron (Enterasys) 0001.f4|00e0.63

Camtec 0000.ff

Cisco Aironet 0040.96

Compaq 0050.8b

D-Link 0005.5d|0040.05|0090.4b

Delta Networks 0030.ab

Intel 0002.b3

Linksys 0003.2f|0004.5a

Lucent 0002.2d|0060.1d|0202.2d

Nokia 00e0.03

Samsung 0000.f0|0002.78

Senao Intl 0002.6f

SMC 00e0.29|0090.d1

SOHOware 0080.c6

Sony 0800.46

Symbol 00a0.f8|00a0.0f

Z-Com 0060.b3

Zoom 0040.36

dbellazetin
Level 4
Level 4

Can you connect to the AP and pass traffic? If yes I would sync up and do some data transfers. Then go to your switches and check the address tables (CatOS show cam dyn, or IOS show mac-address-table) and find your MAC. Whatever port its reporting on should be the ethernet side of the AP and you could go from there.

You could also run sniffer software and watch for a frame with that MAC and see if it contains the IP info.

Daniel