While "wiresharking" the network, You may come across packets that looks like
THIS
eth.src
to eth.dst
(mainly colored white).. sometimes Wireshark recognize protocol LLC, NDP etc..
but sometimes it just 0x000
or 0x0de
. So You know the MAC address of sender but don't know IP address.
My question is 1:
How You can link it's MAC address to some IP? What in my head is just nmap -sn
all the subnet then textual search for a MAC... but maybe there is more clever way or tool. I tried to use arping, but it seems to be not for this purpose.
question 2:
Let's imagine that a frame came from another subnet or VLAN ( is it possible? maybe in a very misconfigured network? if not why? ) - have we still have a chance to negotiate to a device and somehow and discover it's IP?
Thank You.