-2

While "wiresharking" the network, You may come across packets that looks like THIS eth.src to eth.dst (mainly colored white).. sometimes Wireshark recognize protocol LLC, NDP etc.. but sometimes it just 0x000 or 0x0de. So You know the MAC address of sender but don't know IP address.

My question is 1: How You can link it's MAC address to some IP? What in my head is just nmap -sn all the subnet then textual search for a MAC... but maybe there is more clever way or tool. I tried to use arping, but it seems to be not for this purpose. question 2: Let's imagine that a frame came from another subnet or VLAN ( is it possible? maybe in a very misconfigured network? if not why? ) - have we still have a chance to negotiate to a device and somehow and discover it's IP?

Thank You.

apech zzz
  • 3
  • 1

1 Answers1

0

There may not be an IP address for a given MAC. Not all layer 2 frames are IP.

Wireshark identified that as ieee1905, specifically a topology discovery frame. Indeed, 01-80-C2-00-00-13 is registered to ieee1905.

Obviously, many other frames contain IP. Capture enough packets, and you may see IPv6 neighbor discovery or IPv4 ARP, associating IPs with layer 2.

When an address is not known to you, find the port it connects to on your switches. Find the physical device, and manage it.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32