Solved

Find a IP with the MAC address (reverse Lookup)

Posted on 2002-03-20
27
704,917 Views
2 Endorsements
Last Modified: 2013-11-10
Hi,

I've a MAC address... How I can find the IP Address of that machine.

Thank in advance.
Phil !
2
Comment
Question by:samphi
27 Comments
 
LVL 8

Accepted Solution

by:
scraig84 earned 150 total points
ID: 6882508
Typically you would need to find it on one of your machine's arp tables.  If there is a router in your network, this is usually the most central place to gather that type of info.  On a cisco router, the command is "show arp" - it will give you a listing of the MAC addresses and their corresponding IP address.  On a windows box, from a DOS prompt you can type "arp -a" to see similar output.

Happy hunting - and good luck!
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6882846
You also might look at your DHCP server.  It should list the MAC addresses of all machines that have leased IP addresses on the network.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6884039
Maybe it's only running IPX so doesn't have an IP address?
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6884054
Interesting thought - but I think you might want to refer back to the question...
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6884121
I have read the question.

I was simply pointing out that the question "I've a MAC address... How I can find the IP Address of that machine." is invalid since it might be running properly with no IP addresses (or maybe 20 of them) bound to the same card/mac address. Am I wrong to do that?

You are right in your first comment that it is pot-luck that you see the arp entry on a machine or see it when sniffing the cable so you should get the points.  There's no guaranteed interrogation method short of a DoS attack against it and see which user complains. At least you can find the make of the card normally though.
0
 
LVL 3

Expert Comment

by:UkWizard
ID: 6884146
If you know the subnet it is sitting on, ping the broadcast address from a windows machine. Then inspect the arp table afterwards.

Example;
If your subnet was 192.168.1.0 with a subnet of 255.255.255.0

Then would run;

ping 192.168.1.255

That might do it for you, good luck
1
 

Author Comment

by:samphi
ID: 6885352
Hi All,

I'm happy to see that you're interested in my question!
;o)

I'm checked my routers and switches, and I have a abnormal plug. (too much transfer) and I have only his MAC addresse...

There's not a DHCP... There's a static IP...
Yes "ARP -a" is a good utility, but I was not found that IP... Actually, I'm thinking that's a printer...

I will wait still before distributing the points...

My "hunting" continue...
Excuse my english.
Phil !

ps: If that continues, I'll unplug this cable and I'll receive a call ;o)
0
 

Expert Comment

by:johntegg
ID: 6886651
Go to www.download.com and in the search bar put
"mac address" (without the quotes).  It will turn up some tools like Whaddayagot 2.0 and APK GetMacAddress 1.0 that will help you to find the info you're looking for.  There are other network monitoring tools that will show that information also.
0
 
LVL 55

Assisted Solution

by:andyalder
andyalder earned 50 total points
ID: 6886693
If you think it's a printer then the first step is to find the manufacturer from something lookup chart like http://www.coe.uky.edu/~stu/nic/nic.cfm or http://www.synapse-networks.com/ban/HTML/P_LAYER2/Eng/P_lay280.html
0
 

Expert Comment

by:kakarika
ID: 6887277
when you have an MAC address and want to find out who's MAC is that, you use reverse ARP (RARP)... it functions just like a ARP but instead of asking 'i got an ip x.y.z.n what is the MAC?', it asks 'i got an MAC what is the IP?' if the destination has one it would send...
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6891051
<off topic>
Kakarika, I see you are new to EE, welcome. The site is more about collaboration between experts to find the solution to a problem rather than an exam test site, most experts restrict themselves to providing comments that the questioner can later select as the answer if it solves their problem and as such you should only click on answer if you are 300% sure you have the solution. Sometimes you will provide helpful comments for no reward, other times you may be rewarded points where others have helped without reward, it evens itself out.

Comments
Comments are intended to be used as a collaboration tool. Many Experts choose to post their solutions
as comments only.

Answers
An answer is a specific solution to a question and should be submitted if it will solve the questioner's
problem and doesn't duplicate a previous comment.

Comment Vs. Answer
If you are unsure of your solution, post it as a comment. Members can accept comments as solutions and
award you Expert Points for them.

<on topic>
I thought RARP was a forerunner to BOOTP and DHCP, unless he has a RARP server to query your answer means that nowadays I would look it up on a DHCP server which Geoff suggested earlier. Correct me if there is a protocol to query the MAC address for it's possible IP addresses.
0
 
LVL 3

Expert Comment

by:trath
ID: 6903667
Sorry no offence but kakarika is wrong. RARP is used to by a diskless device to find its IP address using a BOOTP Server.
0
 
LVL 1

Expert Comment

by:Computer101
ID: 7007560
For reasons stated above and below, proposed answer rejected.

Computer101
E-E Moderator


Comments
Comments are intended to be used as a collaboration tool. Many Experts choose to post their solutions as comments only.

Answers
An answer is a specific solution to a question and should be submitted if it will solve the questioner's problem and doesn't duplicate a previous comment.

Comment Vs. Answer
If you are unsure of your solution, post it as a comment. Members can accept comments as solutions and award you Expert Points for them.

For more tips on comments and answers, click here.

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 55

Expert Comment

by:andyalder
ID: 7009555
Phil, you still with us? any correlation with that MAC address and a manufacturer or is it a deliberate attack with a cloned MAC address?

Surely to have seen the MAC address on the network is to posess a trace containing it in the header of a packet, so lets examine that trace or the output of the tool that saw it in the first place or did some comment lead you to identifying it and you ran away without acknowledging the hint that helped identify it.

I'd rather see this paq'd with 0 points for all than the knowledge wasted, "I'm happy to see that you're interested in my question!" damn right there, but now we are interested in the solution and you haven't commented for a while.
0
 

Author Comment

by:samphi
ID: 7010972
Hi andyalder and all,

I've somes seconds...;-)

Ok, My switch indicated 1Gig transfer in one night, And I've only the MAC address. Then I going to hunting to IP.

I received somes tools and tips :
"ARP -a"
http://www.coe.uky.edu/~stu/nic/nic.cfm
http://www.synapse-networks.com/ban/HTML/P_LAYER2/Eng/P_lay280.html

And with this links, I discovered that MAC is not a PC. there's a defect printer. I was gone searching for that printer, floor by floor...  I'm always interested to find a good tip or tool for trace the IP via the MAC.

Thank you for your help.
I continue...
I keep you informed...

Phil !
0
 
LVL 55

Expert Comment

by:andyalder
ID: 7015790
Just remembered, assuming it's a jetdirect you can do
"arp -s <ip address> <mac address>" where <ip address> is a spare IP address on your local subnet and <mac address> is the mac of the printer. Next "telnet <ip address>" and you get the menu of the jetdirect and can read what it's stored IP address is. Then delete the static arp entry and print a "help please phone IT and tell me where this printer is" message to it.

Doesn't work with a PC as the target since they don't respond to the packets unless the MAC and IP are both correct but printers normally respond whatever the IP address is if the MAC is theirs. It was the only way to initially setup jetdirects before jetadmin for unix was written. Method probably works with other printers as well.

Of course you could use wspingpro or similar mapping program to ping every address on the local subnet then look in arp cache but that won't help unless it has an address on that subnet.
0
 

Expert Comment

by:CleanupPing
ID: 9155779
samphi:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 

Expert Comment

by:ndenny
ID: 12318761
For what it's worth I had a similar issue (MAC but IP unknown).  Followed UKWizard's advice and voila IP matching the MAC.
Thanks
0
 

Expert Comment

by:willyjd1
ID: 12780091
If you have a linux machine on your network load up arpwatch.  It will watch the network and build a table (arp.dat) that you can refer to.

Will
0
 

Expert Comment

by:itamt
ID: 13782588
C:\>arp -a 00-12-D9-3C-50-22
ARP: bad argument: 00-12-D9-3C-50-22

C:\>

Help!

0
 
LVL 55

Expert Comment

by:andyalder
ID: 13783772
itamt, this question was closed ages ago, you'll have to ask your own question on the syntax of the ARP command.

I can confirm however that that is not the correct syntax.
0
 
LVL 4

Expert Comment

by:tomerlei
ID: 14031078
just use
arp -a
and it will list all mac adresses known to him.
0
 

Expert Comment

by:subhanandi
ID: 14107459
CC Get Mac Address is a nice tool. One may try that as well..
0
 

Expert Comment

by:adrimanssc
ID: 24269505
First scan All IP addresses in your subne (http://www.radmin.com/products/utilities/ipscanner.php)

 then run "arp -a" in command line on your PC
0
 

Expert Comment

by:wogspend
ID: 25481272
If you had smart switches on the network, you could scan the switches with dumps of information on what ports are doing the most communication.
But, just like everyone else is saying, you need to see the traffic at it's source or close to it.

That being said, you could put a popular sniffer on the same switch and watch for the traffic, and narrow it down to the port, then, tone out the port with a popular tone generator of your choice.  $100 to $150 at the most for a good one.   Could be more if you are more interested in the really good ones.
0
 

Expert Comment

by:bsteph10
ID: 36396447
I used the radmin ipscanner that adrimanssc recommended above and it worked well.  It gives you a nice list with client name, IP Address, and MAC Address and all 3 fields are sortable.
0
 
LVL 1

Expert Comment

by:Tech Savy
ID: 39637385
if the machine is in the same subnet, well it could work or could not work if the device has contacted to the machine where u are running this command. Ur luck.
But this is what i usually do if that doesnt work, then the final step is to check the arp table of your router
go to a machine open command prompt
type
arp -a >1.txt & 1.txt

it will generate a text file and then press CTRL + F and type the MAC address , boom if its either there with an ip or its not there lol.

Cheers.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now