Need MAC Address Scanner
We were given a network with no idea of the subnet structure. What I am essentially looking for is a MAC Address Scanner that will go through every MAC Address known to man and report back the found MAC Address and corresponding IP. I realize it will take a long, long time to do.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could just do a show arp from your router
ASKER
I have advanced IP Scanner and nowhere can I find where you can enter a starting and ending MAC and have it scan. If I am missing something please clue me in.
I have seen threads when Angry IP Scanner is supposed to do it to until you try it and it won't. Are you sure it will can all MAC Addresses known to man?
If the router is like WIndows then all you will get with an arp -a are MAC Addresses you have already communicated with. That isn't what I am looking for. Once again I want to scan every MAC address known to man. If you still think that is possible with the router please give me a little more detail on how to do it.
I have seen threads when Angry IP Scanner is supposed to do it to until you try it and it won't. Are you sure it will can all MAC Addresses known to man?
If the router is like WIndows then all you will get with an arp -a are MAC Addresses you have already communicated with. That isn't what I am looking for. Once again I want to scan every MAC address known to man. If you still think that is possible with the router please give me a little more detail on how to do it.
No, and that is because scanners generally will work on scanning IP address, and giving you the corresponding MAC address. And that makes far more sense. Remember that ARP tables are everywhere: workstations, switches, etc.
But I would ask doesn't it make more sense to check the firewall, router, and switches for information on VLANs? That will help you get the answer to what subnets exist. Far more practical than trying to start by MAC address.
But I would ask doesn't it make more sense to check the firewall, router, and switches for information on VLANs? That will help you get the answer to what subnets exist. Far more practical than trying to start by MAC address.
You're going about this the wrong way.
There are 2^48 possible mac address combinations.
There are only 2^32 possible IPv4 address combinations.
Of which, only 2^24.09275~ are private.
Just scan all IP ranges.
You probably have at least an idea of what ranges are being used - so just scan those.
There are 2^48 possible mac address combinations.
There are only 2^32 possible IPv4 address combinations.
Of which, only 2^24.09275~ are private.
Just scan all IP ranges.
You probably have at least an idea of what ranges are being used - so just scan those.
ASKER
That might make far more sense depending on what you want to do. What people are replying with are "IP Scanners". I have an IP Scanner. I want a MAC scanner.
There are no VLANs (well just the default #1). The devices could have been left at the factory default or they could have been changed to a given subnet. I have no way of knowing hence the need for a MAC Scanner. Time is not important as mentioned. If I can find a MAC Scanner I can turn it loose for weeks.
If there is a better way I'd love to hear it. If you want a little more detail it is a subnet of cameras, switches and NVRs that got abandoned. Some devices are at their factory default settings, some aren't. We have no idea how many devices there are or what their IP addresses are hence the need for a scanner that will scan by MAC address,
There are no VLANs (well just the default #1). The devices could have been left at the factory default or they could have been changed to a given subnet. I have no way of knowing hence the need for a MAC Scanner. Time is not important as mentioned. If I can find a MAC Scanner I can turn it loose for weeks.
If there is a better way I'd love to hear it. If you want a little more detail it is a subnet of cameras, switches and NVRs that got abandoned. Some devices are at their factory default settings, some aren't. We have no idea how many devices there are or what their IP addresses are hence the need for a scanner that will scan by MAC address,
Well you can do this + best ensure your network is completely firewalled by the rest of the world.
If any MAC Address scans leak to the public net, likely your ISP + many other ISPs will block all IPs participating in this scan, as this is considered a Bot Scan.
Also keep in mind... If you do this... you'll have to run many parallel threads to check every conceivable MAC Address. Depending on what tool you use, you may be dead before it finishes.
Better to start with know IP ranges your company owns (likely very easy to figure out) + then just scan the IP ranges for which IPs are pingable.
Usually a ping test on IP ranges will finish in a few minutes.
If any MAC Address scans leak to the public net, likely your ISP + many other ISPs will block all IPs participating in this scan, as this is considered a Bot Scan.
Also keep in mind... If you do this... you'll have to run many parallel threads to check every conceivable MAC Address. Depending on what tool you use, you may be dead before it finishes.
Better to start with know IP ranges your company owns (likely very easy to figure out) + then just scan the IP ranges for which IPs are pingable.
Usually a ping test on IP ranges will finish in a few minutes.
ASKER
OK. So if there are 10 camers and all 10 are at their factory IP address of say 192.168.1.1 and IP Scan will only fine one won't it? Then what? Change the IP to something else and re-scan? That won't wind up being much easier...
While we are on the topic..... if you scan every IP address know to man won't it only find things on the same subnet as your network card?
While we are on the topic..... if you scan every IP address know to man won't it only find things on the same subnet as your network card?
Scanning for MAC addresses does not pass routers including layer 3 switches. Scanning for all possible MAC addresses just floods the local network.
And there is no way you have no knowledge of the local subnet. Never ever. Unless you have to play admin for a network no one still accessible has set up. If I would be in the unlikely need, I would just run a network capture for some time to get an idea - but that is only a starting point.
And there is no way you have no knowledge of the local subnet. Never ever. Unless you have to play admin for a network no one still accessible has set up. If I would be in the unlikely need, I would just run a network capture for some time to get an idea - but that is only a starting point.
No - you can scan other subnets. You're very argumentative for someone who doesn't understand basic networking.
If you had 10 cameras on the same IP you'd have address conflicts and likely only able to connect to one at any given time.
How are these's cameras connected? It'd be faster to factory reset every camera and set a new IP then scan every IP address known to man.
If you had 10 cameras on the same IP you'd have address conflicts and likely only able to connect to one at any given time.
How are these's cameras connected? It'd be faster to factory reset every camera and set a new IP then scan every IP address known to man.
OK. So if there are 10 camers and all 10 are at their factory IP address of say 192.168.1.1 and IP Scan will only fine one won't it? Then what? Change the IP to something else and re-scan? That won't wind up being much easier...You've already said there are no VLANs. Now that lets you figure out what at least one of the subnets is. Start from there. Scan the entire subnet. The IP scanners mentioned are capable of figuring out the MAC addresses of the devices whose IP addresses they were able to find. Chances are you'll find the properly configured cameras (assuming that the NVR does not act as a NAT device).
The information you find can be used for process of elimination. Use the switches (if they are managed) to help you locate where all of the known and properly configured cameras are (key: forwarding tables). You will still have other forwarding table entries remaining. Check to see who the manufacturer associated with those MACs are, and use that to determine which switch ports point to areas you need to research.
Note: This also assumes said devices are even connected to the network. (Just because they are abandoned doesn't mean they are connected, even if they are still mounted)
ASKER
Thanks Jacob. That was kind of an ass comment to make. I am not argumentative. You simply haven't supplied any solutions and obviously don't understand networking. Sure we'll factory reset every camera. All we have to do it first find them, then call Comcast and bring in one of there huge cherry pickers to go 30 feet in the are to reset temp. Excellent idea.
Now how about offering something useful? About the only thing that we can "guess" at it that it is probably a class C subnet. So.... fire away. Give me a solution......
Now how about offering something useful? About the only thing that we can "guess" at it that it is probably a class C subnet. So.... fire away. Give me a solution......
ASKER
@masnrock.... what is the starting and ending IP Addresses/subnet you suggest I scan?
Do you have access to log into any of the switches? Or even a router associated with that network? I'd look into one of those and let that determine information on the subnet to start with.
ASKER
Here is just one of the problems. Yes we have found two switches but they are at the factory defaults which really doesn't help determine the subnet that this guy was using. There was no router until this morning when I put one in to gain access to this subnet remotely. There are no computers on this subnet.
The only thing that I can hopefully assume is that he used a class C subnet but even that is only a guess. So I'll happily abandon the request of a MAC Scanner but so far I have no other real suggestions.
I can even scan by IP address as other are suggesting but what would I use to do all possible class C subnets?
The only thing that I can hopefully assume is that he used a class C subnet but even that is only a guess. So I'll happily abandon the request of a MAC Scanner but so far I have no other real suggestions.
I can even scan by IP address as other are suggesting but what would I use to do all possible class C subnets?
It down to what your time is worth. You don't seem to even know if these devices work.
Are they even connected to your network? Are the even powered on? Are they POE? There's a good place to start. What ports are serving POE on your switches?
Are they all at one single location? Spread across multiple sites?
I'm not sure what you're talking about calling Comcast? Are they ceiling mounted in a warehouse? Do you not have a ladder? A scissor lift?
Are the cameras connected to DVR? Where are they recording to? When was the last time they worked?
Are they even connected to your network? Are the even powered on? Are they POE? There's a good place to start. What ports are serving POE on your switches?
Are they all at one single location? Spread across multiple sites?
I'm not sure what you're talking about calling Comcast? Are they ceiling mounted in a warehouse? Do you not have a ladder? A scissor lift?
Are the cameras connected to DVR? Where are they recording to? When was the last time they worked?
Are the switches managed? If everything is connected to it, then you can look at their forwarding tables. That will contain MAC address information. But like I mentioned earlier, this assumes that things are connected and power on.
And like Jacob mentioned, if the switches are not POE, but the devices require POE, then even a scan will not pick up those devices.
And like Jacob mentioned, if the switches are not POE, but the devices require POE, then even a scan will not pick up those devices.
Of course you can scan all class C subnets...
But there's only a small range of private addresses in the class C that could be used.
192.168.0.0/24
That's basic networking.
But there's only a small range of private addresses in the class C that could be used.
192.168.0.0/24
That's basic networking.
ASKER
That is what I am trying to explain. I know nothing about these devices. I don't even know if they work. I know they are ethernet and I know from looking at the two switches we have found that they are connected. That is the extent of what I know.
@masnrock is correct in that if I can find the IP of one device it would probably tell me the subnet I am working with but how do you find the IP address of that one magical device?
The cameras are POE and I can tell by looking at the port on the switch if the POE is active but that doesn't help. These cameras are spread across five different buildings linked together with fiber. Some (most actually) are a good 50 feet up which means I can't just put a paper clip in the reset hole......
@masnrock is correct in that if I can find the IP of one device it would probably tell me the subnet I am working with but how do you find the IP address of that one magical device?
The cameras are POE and I can tell by looking at the port on the switch if the POE is active but that doesn't help. These cameras are spread across five different buildings linked together with fiber. Some (most actually) are a good 50 feet up which means I can't just put a paper clip in the reset hole......
What kind of switches? You should be able to tell which ports are drawing POE and then IP on the other side of that port in the switch config.
Do you have console/admin access to the switches?
Do you have console/admin access to the switches?
@masnrock is correct in that if I can find the IP of one device it would probably tell me the subnet I am working with but how do you find the IP address of that one magical device?Remember I've been asking whether these are managed switches? Assuming that the answer is yes... You need to log into them, then work on getting information from their forwarding tables. For all we know, these switches could have console ports, which would be a way into them without knowing the IP address. I assume that you also looked at the comment from Qlemo about doing a capture?
ASKER
They are either Black Box or Flir switches. We found the MAC Address table in one of the Black Box switches. There are 8-10 addresses in that MAC Table. So how do you turn a MAC Address in to an IP Address?
You show the ARP table.
You can also look up the MAC and find the vendor.
On a blackbox switch you would use:
You can also look up the MAC and find the vendor.
On a blackbox switch you would use:
show ip arpASKER
And we are doing this via SSH?
Here is the result:
# show ip arp
192.0.2.50 via VLAN1:c8-1f-66-04-9a-c1
#
That wasn't in the MAC Address Table either....
Here is the result:
# show ip arp
192.0.2.50 via VLAN1:c8-1f-66-04-9a-c1
#
That wasn't in the MAC Address Table either....
Do a
show ip interface briefASKER
all that did was return the subnet the switch is on. 192.0.2.1/24 that is the factory default
Can you past the full output of
show ip interface brief
show ip interface
show running-config
Here's the problem (as I see it).
You want to probe every possible MAC address so you can have a list of all the devices on your network. Well, with 48 bits, that gives you almost 300 trillion possible addresses. Now the valid number is a bit lower. Probably around 1 trillion. So scanning would take a long time. Figure 5 seconds per probe and if my math is right (always a dangerous assumption), that's about 158 thousand years!
Next is the problem of what probe. How do you get a device to respond to a probe at just layer 2. I've never thought about how to do this so I may be missing something obvious, but I can't think of a way at layer 2 to get every different type of device to respond without some upper layer protocol. If we're talking about switches, you could use STP. If all the devices were using IP, you use ARP (at least that would get you down to about 3 billion combinations which would take only 475 years. Obviously to could shorten the timeout of your probes, but (I think) it's still an insurmountable problem.
You want to probe every possible MAC address so you can have a list of all the devices on your network. Well, with 48 bits, that gives you almost 300 trillion possible addresses. Now the valid number is a bit lower. Probably around 1 trillion. So scanning would take a long time. Figure 5 seconds per probe and if my math is right (always a dangerous assumption), that's about 158 thousand years!
Next is the problem of what probe. How do you get a device to respond to a probe at just layer 2. I've never thought about how to do this so I may be missing something obvious, but I can't think of a way at layer 2 to get every different type of device to respond without some upper layer protocol. If we're talking about switches, you could use STP. If all the devices were using IP, you use ARP (at least that would get you down to about 3 billion combinations which would take only 475 years. Obviously to could shorten the timeout of your probes, but (I think) it's still an insurmountable problem.
ASKER
Thanks guys. No real solution but it was an interesting romp!