First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

detect all IPs/MACs on network?

  • retag add tags

This seems straightforward, but I"m having trouble finding an answer.

I'm trying to map a private network behind a NAT. Someone in the Lab setup a NAT router that everything is behind, but that person is long gone and they don't have login credentials for the router anymore. I'm trying to map the network (PCs/Macs and ethernet-connected Research apparatus). If it was just PCs.. I'd go computer to computer and pull the MACs.. it's the network'ed lab equipment that's harder to inventory.

I've got at least a partial inventory of devices by IP. I'm looking to find MACs for these devices so we can setup DHCP reservations on a new router.. since I can't log into the existing one to see what they did.

I plugged in, started a packet capture, and nmap'ed some IPs to generate traffic. What I'm looking to do is generate a report... or filter.. that will show me IPs w/ corresponding MACs.

I've found a few so far by just searching through the whole log for IPs (sender).. opening the packet capture and searching for the source MAC.. but that's proving tedious.
Is there any way to display all IPs with corresponding MACs from the Capture?

Thanks, Steven.

ffakr's avatar
3
ffakr
asked 2023-12-21 02:58:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I am not sure Wireshark is the best tool for this. Some options:

  1. Specific tool for this, like lansweeper and probably many others. AngryIP scanner maybe?
  2. On the host running nmap, investigate the ARP cache as that will map IPs to MAC addresses.

  3. tshark output of src IP with src MAC, filtered on a Linux system:

    tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | colum -t

You will only be able to reliably map MAC to IP on the local network in most cases.

Example:

wsuser@wssys:~/tmp$ tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | column -t
10.1.10.1     01:05:ca:08:0f:1c
10.1.10.50    02:cd:e6:65:aa:c2
10.1.10.58    03:90:0b:de:10:e5
10.1.10.6     04:b7:1f:5c:f1:a8
Bob Jones's avatar
1.5k
Bob Jones
answered 2023-12-21 11:51:31 +0000, updated 2023-12-21 11:57:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Good point. This was partially a case of everything looks like a nail when all you've got is a hammer. WireShark was on my laptop already and I figured.. 'sure, it's Possible to do discovery by just sorting through a big packet dump'. I'm familiar with LANSweeper, not that I use it regularly.. I'll check out AngryIP too.

The tshark command did do exactly what I was looking for though. Thank you.

ffakr's avatar ffakr (2023-12-21 17:14:29 +0000) edit
more
  • delete

BTW.. just to be helpful.. the command line option you provided worked perfectly on MacOS too... so BSD. :-). Thanks again, I really appreciated your help.

ffakr's avatar ffakr (2023-12-22 19:55:55 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer