Print out every MAC address seen on a network interface? - networking

Is there a foolproof way to discover the MAC address of a device that is freshly plugged into an ethernet network in linux?
I'm looking specifically for something that works on the MAC address level. Assume everything at the ip address level is broken.
i.e. maybe ethernet chip drivers expose a list of the MAC's they've seen in /proc?

Taken from a similar question, this gets pretty close:
sudo tshark -i eth0 -e eth.src -Tfields
However, it doesn't de-duplicate lines, and it seems there are intermittent line number prefixes.

Related

Will tcpdump capture packets where destination mac address does not match NIC's mac address

I am running some data throughput tests by sending UDP packets using iperf through a VM that does some sort of processing on those packets.
My application runs in promiscuous mode, so it will pick up all packets.
I saw my application drop some packets, but my application counters show that it was not due to any slowdown or failures.
I put some logs in my application and they suggested that the ethernet frame itself may be corrupted.
I was also running tcpdump on the vnics of both the iperf machine and my packet processor but these packets never showed up in the traces. I was hoping to see corrupted packets appear in the traces.
The commands looked like this:
tcpdump -i vnet11 -C 100 -w iperf.pcap
tcpdump -i vnet7 -C 100 -w sgi.pcap
My doubt is, if the ethernet frame is itself corrupted and the destination MAC itself does not match the MAC address of vnet7 or vnet11, will tcpdump capture those packets?
Edit:
It just struck me that if Ethernet frame itself was corrupted which caused destination MAC to mismatch, then the linuxbridge won't send that packet to my packet processor's vnet interface in the first place. So tcpdump does not have anything to capture here. Please ignore this question.
In fact, if the problem is a corrupt Ethernet frame, you will not see it at all. Your network card will discard the frame and your sniffer will never see it.
Running in promiscuous mode will normally disabled the MAC filtering on your network card so that the sniffer will see all packets, regardless of the destination MAC. However, you cannot see packets that are not sent to the NIC (obviously), so in a switched environment, unless you take additional steps to either attack the switch or configure a span or mirror ports, you will only see broadcasts and frames that are destined for a MAC on your system.
Virtual Machines can complicate this further. Different virtualization solutions handle this in different ways. In some, for instance, the administrator can choose to configure whether or not frames that do not match the host address are delivered to the VM, effectively making promiscuous mode moot.

What is causing putty to not connect to beaglebone black

I have a Beaglebone Black(rev c),I am trying to connect it to Windows 8 laptop using putty. I am putting IP address as 192.168.7.2 and port as 22,but when I says open to it,putty window will pop-up and after sometime I will get fatal ERROR saying:
"Network connection time-out"
I am new to this, can someone tell me what am i missing?
Seems to indicate the an SSH server is not running on the BBB. Or possibly for some reason the BBB did not take 192.168.7.2 as an IP. Or perhaps you might need to wait a little bit longer for the SSH server to start up.
Short of this, there is not much to go on. One way to trouble shoot the issue would be to get a serial debug cable, connected and working to the BBB. Then you could dmesg | grep ssh or some such and hopefully get closer to what the actual problem is. Sorry if this is not enough for you to go by, but it is really hard to figure out what is going on without more information.
Other potential problems could be as simple as a USB cable that sometimes works or sometimes doesn't.
It may not be this but have you installed the drivers? See step 2 here: http://beagleboard.org/getting-started. If it's not that or you have already installed those then I am not sure sorry. Perhaps someone else has another suggestion.
Is the BeagleBone connected to your network with an Ethernet cable? It will only use 192.168.7.2 for the network-over-usb when there's only a USB cable connected - if you have Ethernet connected it will use DHCP to get an IP from your router, in which case you can check your router page to see what IP it got.
If you do just have USB connected then a driver issue is the most likely culprit, but you could try to ssh to the hostname beaglebone.local instead of the IP.

Find out which client makes the network slow

We have about 30 clients connected to a single cable-modem/router (Fritzbox 6360). Some clients also connect to a TP-Link W-LAN Router which is also connected to the cable modem.
Sometimes the internet is very slow and we can see an continous upstream (6 MBit/s). Unfortunately we can not see which clients cause that traffic. The Fritz Box provides a functionality to capture network traffic and then analyze it with Wireshark.
Following interfaces can be captured by the cable modem:
Internet connection
Interface 0 ('internet')
Routing interface
Network interfaces
tunl0
cni0
lbr0
wan0
eth0
lan
erouter0
esafe0
And there is an option to launch DTrace (default parameters are)
-D -s -m -i256 -dect -dlc -c1 -c2 -c3 -c4 -c5 -nt3 -d2 -d3
We already captured different interfaces and tried to understand the data with Wireshark but without much success. What would be right way to see which Client is uploading Data at the moment?
In Wireshark, to get a list of IP addresses and what percentage of the trace each of the IP Addresses are taking up, go to Statistics->IP Addresses.. and click "Create Stat" in the box that pops up while leaving the the "Filter" option blank. You should be able to figure out which of your client ip is hogging up the most bandwidth with this.
For a visual comparison, click "Statistics->IO Graph", and in the second filter next to Graph 2, type "ip.src == x.x.x.x" (where x.x.x.x is the ip address of the uploader you suspect is taking up the most bandwidth) and click "Graph 2". This will give you a packets vs time graph. You can also filter out other ip addresses as well to display simultaneously in the same graph for comparison.
Edit: I would also suggest keeping an eye out for IPv6 addresses.

tcpdump always filters my packets

I've been using tcpdump for about a month now, and recently, it has stopped capturing any packets that were not sent to or from the computer running tcpdump. I've stripped down my command to just:
sudo tcpdump -i en2
I've checked my interfaces with ifconfig, and en2 is in "PROMISC" mode. When specifying a specific host as a filter, I only see a few "arp" messages but nothing compared to what is actually going on in the network.
Any ideas why this would be happening? Much appreciated if anyone can offer some advice!
Richard
ps, sorry for the re-post, i wanted to register this time! (new to s.o.)
Do you know what network equipment is used \ if there has been a change recently?
One possible explanation is that your computer is connected to a switch (and not a hub) the switch sends to your adapter only traffic intended to your MAC address, and broad casts (hence the ARP)
one way to check this is to send broad casts from other computers in the network (just use ping 255.255.255.255) and see if you can see anything.

How do I get a MAC address for a remote system when I only know it's IP address?

I'm working on a Wake on LAN service that will run from a web site and should interact with many different platforms - therefore, no Windows-only solutions. When a user registers their system with the web site, I need to get the MAC address to use in constructing the "magic" packet. I have a Java Applet that is able to do this for me and am aware of an ActiveX control that will work, but I'm wondering if there is a way to do this server-side by querying routers/switches. Since the system may be on any of a number of different physical subnets, using ARP won't work -- unless there's a way to configure the router(s) to perform the ARP on my behalf.
Anyone know of any network APIs, proprietary or otherwise, that can be used to look up MAC addresses given an IP address? I think we're using Cisco routers, but it's a complicated network and there may be multiple vendors involved at various levels. I'd like to get some background information on possible solutions before I go to make a sacrifice to the network gods. No point in abasing myself if it's not technically possible. :-)
EDIT: We do have the network infrastructure set up to allow directed broadcast, though figuring out the exact broadcast address since netmasks are not always /24 is another conundrum that I need to solve.
If you are on a local network that uses DHCP you might be able to look in the servers database to get the MAC of the last user with that address. In the future you could watch the network for ARP requests and cache the responses in some sort of table. You might also look at using RMON or SNMP to try and query the Address Tables on the switches and routers.
It should be noted that to use WoL across routers you either need to enable Directed Broadcasts or you need to have a relay server in the local segment.
Been a while since I played routers and swtiches but this might be a starting point for what to query using SNMP http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml
Use the following:
getmac /s destIp
To get the remote session Mac address.
I don't know if these might be helpful but take a look:
http://www.webdeveloper.com/forum/showthread.php?t=134120
http://www.qualitycodes.com/tutorial.php?articleid=19
You've said everything I can think of...
The source MAC address changes as a packet hops from device to device so unless the client is on the same subnet, the server won't be able to get the MAC address. (You would do it via ARP)
A signed java applet or activex control would be the easiest solution. It would be able to (almost passively) get all the networking info you need (IE doesn't even prompt to run a signed applet)
If you are fully aware of the network that is using the service then you could probably query a gateway's client-list via SNMP or CDP. You would be able to map out IP-Addresses to MAC addresses... but this is really vendor dependent (but common) and wouldn't be much better (imo) than having an applet.
Currently the application is using a Java 6 applet that allows me to extract both the hostname and the MAC address from the remote system. I don't like having this dependency on Java 6, but Snow Leopard and Windows both support it, so I can probably live with it.
On a related-front our networking folks approached me for some help with converting some existing code to ASP.NET. During the conversation I asked if they had live MAC address information (since they do port shutoffs based on suspicious network activity -- viruses/worms). Turns out they do and we may be able to leverage this project to get access to the information from the network database.
I don't think there is any way to accomplish this. When the IP packet goes via the first router the host's MAC information is lost (as you know MAC is only used in ethernet layer). If the router most close to your PC was capable of telling the remote MAC code to you, again it would only see the MAC of the next router between your PC and the "other end".
Start sacrificing.
There's no general way to do this in terms of the network unless you have no routers involved. With a router involved, you will never see the MAC address of the originating system.
This assumes that the originating system only ever has a single network interface, so has only a single MAC address.
In fact, are you even sure that your "magic packet" (whatever that is) will reach the system you want it to reach, through the routers? That sounds like a function the routers or other network infrastructure should be performing.
Mac address is only used on network segments, and is lost at each hop. Only IP is preserved for end-to-end - and even then the from ip address is rewritten when Natted. I guess my answer is, not possible unless everything is on the same network segment, or your routers are set up for proxy arp (which is not really realistic).
You can only get MAC entries in the ARP table for machines on the same network. If you connect to a machine via a router then you will only see the routers MAC address in the ARP table. So there is no way of knowing the foreign host’s MAC address unless it's a host on the same network (no routers involved).
And by the way there are many similar question already on SO.
if it's a windows system you can use NBTSTAT -A
this will return the netbios info and the IP is there
any Management system like SMS or Altiris will have this info
The DHCP server is a good idea
If it's local you can ping it and then quickly run ARP -a
look for the IP and the MAC will be there.
you might need to write a small batch file.
if you have access to the PC you can use WMI to access the info for the Nic with DHCP.
As said above we can get mac address from a known IP address if that host is in the same subnet. First ping that ip; then look at arp -a | grep and parse the string on nix* to get mac address.
We can issue system command from all programming languages standard API's and can parse the output to get mac address.Java api can ping an IP but I am not sure if we parse the ping output(some library can do it).
It would be better to avoid issuing system command and find an alternative solution as it is not really Platform Independent way of doing it.
Courtesy: Professor Saleem Bhatti

Resources