Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using RARP or other method to resolve MAC to IP

Status
Not open for further replies.
Geekmomz

Geekmomz

MIS
Feb 21, 2002
53
US
I'm monitoring my network (~60 devices) and see an unusually large amount of traffic from a particular device. The EtherPeek software is only providing the MAC address of this device, and I can't seem to locate it based on that. Either the IP address or the NetBIOS name ought to help me determine what device it is.

From what I understand, RARP is the way to resolve MAC to IP address, but I can't seem to find a client software that will perform RARP resolution. Can anyone suggest either a free or trial software that will perform these resolutions, or another way to find the information? FWIW, I need to be able to do it from Win NT 4.0 SP6, preferably, or if there is no other option, from Win XP.

Thanks!
Geekmomz
 
Sort by date Sort by votes
I have always wondered why such a product does not exist but I'm pretty sure it doesn't. The two easiest ways I can think to go about traking it down are:

1) get on a router & examine it's arp table
(cisco) sh apr | include hhhh.hhhh.hhhh.hhhh

2) put a PC on the suspected subnet and peform a ping sweep. Then in the command line type 'arp -a >arp.txt' You can then inspect the table by opening the file arp.txt. You can also try piping the output to a filter then displaying the results. I think that would look like arp -a | find "mac address"
----------------------------------------
Wassabi Pop Tarts! Write Kellogs today!
 
Upvote 0 Downvote
Thank you, jgercken. You've been very helpful. I'm going to try that today. Maybe some programmer will see this and be inspired. :)
 
Upvote 0 Downvote
Hi y'all!

Good suggestion jgercken but the line "arp -a >arp.txt" doesnt work.

I perform a ping sweep like this:

FOR /F "delims= " %%x IN (C:\ADD.TXT) DO PING -a %%x

where add.txt contains the ip addresses on our network.

The problem is that when I run this:

FOR /F "delims= " %%x IN (C:\ADD.TXT) DO arp -a %%x

I only get back a limited number of mac addresses. I believe the arp values are cached for a limited time and evaporate before I can get to them.

Any other ideas or suggestions?

Help is always appreciated.

Kirm

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CryptoTuke
  • Locked
  • Question
Maximum buffer size on Winsock for sending one block of data over TCP / IP
Replies
1
Views
756
maybeimaleo
maybeimaleo
Vedant Gonnade
  • Locked
  • Question
How to send a string (generated by camera) to computer
Replies
0
Views
506
Vedant Gonnade
Vedant Gonnade
tpicon
  • Locked
  • Question
Need to know MAC Address??
Replies
0
Views
503
tpicon
tpicon
jmarkus
  • Locked
  • Question
Can I have a different private IP address which isn't on my router's subnet?
Replies
6
Views
630
sbcsu
sbcsu
Demon Monkey
  • Locked
  • Question
Whitelisting varying IP address?
Replies
2
Views
560
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top