Use H/W address to find its user

[FreesiaCat]

We've been given a H/W address and have to check who or which PC this H/W address belongs to. We've many PCs here and it's impossible for us to check the PC one by one. We know that we can find the PC's name and the current login user by IP address. But can we do the same by Hardware address / MAC address? Thanks a lot.

 

[jimbopalmer]

My Router has a ARP table that maps IP addresses to MAC addresses, I go there to get the Mac address and the port of the interface out of my Router. In my Switches, is the forwarding table showing which MAC addresses are forwarded down each port. Fortunately for me, my GUI device manager in both, allows me to sort by MAC address. (I use Device Manager 5.3 on Nortel Baystack 450s and Passport 1200s) The one thing you can't give for your heart's desire is your heart. - Lois McMaster Bujold

 

[ifincham]

Hi,

One way is to ping the ip addresses and then do 'arp -a' to display the local arp table which should then contain the resolved mac addresses.

Rgds

 

[ifincham]

Hi,

contd... actually if its windows you can do 'nbtstat -A 10.0.0.1' (or whatever ip address) to get not only the mac address but the netbiosnames which may well include username.

Regards

 

[FreesiaCat]

Actually the whole thing is that we got 2 machines with the same IP address thus they have IP conflict when both of them are on our LAN. We locate one of the machines but we couldn't find the second one. From the first one we get the Hardware address of the second machine when we checked the event viewer. But that's all we got for the second machine. That's why we wonder if we can actually find that machine's name or user by hardware address. Actually what will happen when there's a IP conflict, except there will be error message? Assume the first machine is on first and had been using that IP address, what will happen to the 2nd machine when it's on? Sure it will get the error message but will it be able to log in to our LAN too? If both can be connected to our LAN using the same IP and I happen to use "nbtstat -a" on them, what will be the results? Thanks a lot.

 

[jimbopalmer]

the trick of looking in the forwarding table of your switches will work even when the MAC addresses conflict, as will the other tricks if PC one is turned off for over 5 minutes (most tables flush in 300 seconds) The one thing you can't give for your heart's desire is your heart. - Lois McMaster Bujold

 

[FreesiaCat]

However, how can I check the forwarding table on the switch? Do you mean switch or the router actually? Sorry I am not so familiar with networking equipments. Also, what if that machine has been shutdown for more than a day, will it still be able to be chased by the forwarding table? Thanks.

 

[ifincham]

Hi,

On the switch - what is meant here is a device that looks like a hub and ostensibly serves the same purpose. However, with an ethernet switch (Token Ring is not quite so simple) the device 'learns' on what ports mac addresses communicate and once its learned where a pair of addresses are (e.g. source mac addr is on port 1 target is on port 5) it uses cut-through switching to just transmit directly to the correct port rather than repeating through all ports. Thats a simplistic explanation and doesn't take account of vlans, etc., but the point in this context is that if you are using switches instead of hubs then the switches will have internal tables telling you which physical port a given mac address is connected to.

On dupe IP addresses, I believe that in a windows environment it would be possible to have two PCs active on the network with the same IP address if those PCs had netbios installed as well as TCP/IP. Certainly dupe mac addresses causes major problems if you use a laa (locally administered address) scheme - i.e. where you replace the burned-in mac address with a logical equivalent.

What would happen with dupe IP address is unpredictable. Basically, on the same subnet arp will be used. So a local broadcast message is sent out asking for for '10.0.0.1' or whatever to respond with their mac address. That then goes into the requester's arp table. Thereafter packets would be routed with the resolved mac address. If its outside the subnet, IP routing would send the packet to whichever gateway and so on until eventually it ends up on the target subnet when, once again arp comes into play. So it would all depend what mac address ended up in the arp table. What a windows machine would do if it got two arp responses for the same IP address is a good question.

Do you have any 'sniffer' software such as nai's sniffer pro ? If so you can set it up to monitor all traffic to and from that IP address and thereby get the mac address and other info. tcpdump for linux will essentially do the same for zero cost of course !

Hope this is of some help
Regards

 

[FreesiaCat]

I pretty much understand how it works. However, I've been searching the CISCO site hoping to find the command for it, but there doesn't seem to be any. Is there any command I can use to view the table? May you please help? Thanks.