Link to home
Start Free TrialLog in
Avatar of samphi
samphiFlag for Canada

asked on

Find a IP with the MAC address (reverse Lookup)

Hi,

I've a MAC address... How I can find the IP Address of that machine.

Thank in advance.
Phil !
ASKER CERTIFIED SOLUTION
Avatar of scraig84
scraig84

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of geoffryn
geoffryn

You also might look at your DHCP server.  It should list the MAC addresses of all machines that have leased IP addresses on the network.
Maybe it's only running IPX so doesn't have an IP address?
Interesting thought - but I think you might want to refer back to the question...
I have read the question.

I was simply pointing out that the question "I've a MAC address... How I can find the IP Address of that machine." is invalid since it might be running properly with no IP addresses (or maybe 20 of them) bound to the same card/mac address. Am I wrong to do that?

You are right in your first comment that it is pot-luck that you see the arp entry on a machine or see it when sniffing the cable so you should get the points.  There's no guaranteed interrogation method short of a DoS attack against it and see which user complains. At least you can find the make of the card normally though.
If you know the subnet it is sitting on, ping the broadcast address from a windows machine. Then inspect the arp table afterwards.

Example;
If your subnet was 192.168.1.0 with a subnet of 255.255.255.0

Then would run;

ping 192.168.1.255

That might do it for you, good luck
Avatar of samphi

ASKER

Hi All,

I'm happy to see that you're interested in my question!
;o)

I'm checked my routers and switches, and I have a abnormal plug. (too much transfer) and I have only his MAC addresse...

There's not a DHCP... There's a static IP...
Yes "ARP -a" is a good utility, but I was not found that IP... Actually, I'm thinking that's a printer...

I will wait still before distributing the points...

My "hunting" continue...
Excuse my english.
Phil !

ps: If that continues, I'll unplug this cable and I'll receive a call ;o)
Go to www.download.com and in the search bar put
"mac address" (without the quotes).  It will turn up some tools like Whaddayagot 2.0 and APK GetMacAddress 1.0 that will help you to find the info you're looking for.  There are other network monitoring tools that will show that information also.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
when you have an MAC address and want to find out who's MAC is that, you use reverse ARP (RARP)... it functions just like a ARP but instead of asking 'i got an ip x.y.z.n what is the MAC?', it asks 'i got an MAC what is the IP?' if the destination has one it would send...
<off topic>
Kakarika, I see you are new to EE, welcome. The site is more about collaboration between experts to find the solution to a problem rather than an exam test site, most experts restrict themselves to providing comments that the questioner can later select as the answer if it solves their problem and as such you should only click on answer if you are 300% sure you have the solution. Sometimes you will provide helpful comments for no reward, other times you may be rewarded points where others have helped without reward, it evens itself out.

Comments
Comments are intended to be used as a collaboration tool. Many Experts choose to post their solutions
as comments only.

Answers
An answer is a specific solution to a question and should be submitted if it will solve the questioner's
problem and doesn't duplicate a previous comment.

Comment Vs. Answer
If you are unsure of your solution, post it as a comment. Members can accept comments as solutions and
award you Expert Points for them.

<on topic>
I thought RARP was a forerunner to BOOTP and DHCP, unless he has a RARP server to query your answer means that nowadays I would look it up on a DHCP server which Geoff suggested earlier. Correct me if there is a protocol to query the MAC address for it's possible IP addresses.
Sorry no offence but kakarika is wrong. RARP is used to by a diskless device to find its IP address using a BOOTP Server.
For reasons stated above and below, proposed answer rejected.

Computer101
E-E Moderator


Comments
Comments are intended to be used as a collaboration tool. Many Experts choose to post their solutions as comments only.

Answers
An answer is a specific solution to a question and should be submitted if it will solve the questioner's problem and doesn't duplicate a previous comment.

Comment Vs. Answer
If you are unsure of your solution, post it as a comment. Members can accept comments as solutions and award you Expert Points for them.

For more tips on comments and answers, click here.

Phil, you still with us? any correlation with that MAC address and a manufacturer or is it a deliberate attack with a cloned MAC address?

Surely to have seen the MAC address on the network is to posess a trace containing it in the header of a packet, so lets examine that trace or the output of the tool that saw it in the first place or did some comment lead you to identifying it and you ran away without acknowledging the hint that helped identify it.

I'd rather see this paq'd with 0 points for all than the knowledge wasted, "I'm happy to see that you're interested in my question!" damn right there, but now we are interested in the solution and you haven't commented for a while.
Avatar of samphi

ASKER

Hi andyalder and all,

I've somes seconds...;-)

Ok, My switch indicated 1Gig transfer in one night, And I've only the MAC address. Then I going to hunting to IP.

I received somes tools and tips :
"ARP -a"
http://www.coe.uky.edu/~stu/nic/nic.cfm
http://www.synapse-networks.com/ban/HTML/P_LAYER2/Eng/P_lay280.html 

And with this links, I discovered that MAC is not a PC. there's a defect printer. I was gone searching for that printer, floor by floor...  I'm always interested to find a good tip or tool for trace the IP via the MAC.

Thank you for your help.
I continue...
I keep you informed...

Phil !
Just remembered, assuming it's a jetdirect you can do
"arp -s <ip address> <mac address>" where <ip address> is a spare IP address on your local subnet and <mac address> is the mac of the printer. Next "telnet <ip address>" and you get the menu of the jetdirect and can read what it's stored IP address is. Then delete the static arp entry and print a "help please phone IT and tell me where this printer is" message to it.

Doesn't work with a PC as the target since they don't respond to the packets unless the MAC and IP are both correct but printers normally respond whatever the IP address is if the MAC is theirs. It was the only way to initially setup jetdirects before jetadmin for unix was written. Method probably works with other printers as well.

Of course you could use wspingpro or similar mapping program to ping every address on the local subnet then look in arp cache but that won't help unless it has an address on that subnet.
samphi:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
For what it's worth I had a similar issue (MAC but IP unknown).  Followed UKWizard's advice and voila IP matching the MAC.
Thanks
If you have a linux machine on your network load up arpwatch.  It will watch the network and build a table (arp.dat) that you can refer to.

Will
C:\>arp -a 00-12-D9-3C-50-22
ARP: bad argument: 00-12-D9-3C-50-22

C:\>

Help!

itamt, this question was closed ages ago, you'll have to ask your own question on the syntax of the ARP command.

I can confirm however that that is not the correct syntax.
just use
arp -a
and it will list all mac adresses known to him.
CC Get Mac Address is a nice tool. One may try that as well..
First scan All IP addresses in your subne (http://www.radmin.com/products/utilities/ipscanner.php)

 then run "arp -a" in command line on your PC
If you had smart switches on the network, you could scan the switches with dumps of information on what ports are doing the most communication.
But, just like everyone else is saying, you need to see the traffic at it's source or close to it.

That being said, you could put a popular sniffer on the same switch and watch for the traffic, and narrow it down to the port, then, tone out the port with a popular tone generator of your choice.  $100 to $150 at the most for a good one.   Could be more if you are more interested in the really good ones.
I used the radmin ipscanner that adrimanssc recommended above and it worked well.  It gives you a nice list with client name, IP Address, and MAC Address and all 3 fields are sortable.
if the machine is in the same subnet, well it could work or could not work if the device has contacted to the machine where u are running this command. Ur luck.
But this is what i usually do if that doesnt work, then the final step is to check the arp table of your router
go to a machine open command prompt
type
arp -a >1.txt & 1.txt

it will generate a text file and then press CTRL + F and type the MAC address , boom if its either there with an ip or its not there lol.

Cheers.