12

How do I discover the MAC address of machines in a network?

I need to discover the machines that are available just with only BIOS installed (no operating system).

And I need to find the MAC address of machines that are up.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24

13 Answers13

8

You will have to access the information available on your managed switches. If you have an unmanaged network, I don't see a way to do that.

This is assuming the target computers are capable of Wake-on-LAN (WoL). In this case, a link to the server is established (look for the flashy link LED), and the network card is listening to WoL broadcasts. AFAIK, the card does not answer to anything in this state. If there isn't any WoL, the card most probably is off (no link LED), and it won't work at all.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Posipiet
  • 1,725
  • 14
  • 13
7

If the machines are not powered up, this is impossible.

If they are powered up, I would guess this is impossible as well, as you need a minimal network stack to at least answer things like ARP queries etc, which isn't working without an OS installed.

What might work (I don't know and can't test right now) is that the NIC and the switch communicate when the NIC is plugged in or powered up and the switch learns the MAC address this way. If this is the case you would need a manageable switch and query it for connected mac addresses.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • 2
    You *might* get it without a network stack if it's asking for bootp or pxe boot. Depends on the machine as to whether this would work though, I'd think. – Bart Silverstrim Aug 31 '10 at 10:24
6

You can use Nmap to do a very quick ARP scan using the following syntax.

nmap -sn -PR -oX nmap.xml 192.168.1.0/24

This uses ARP ping (only ARP requests, no ICMP, UDP or TCP, no port scanning) to scan the specified IP address range and record the IP address/MAC address/Hostname responses in an XML file (nmap.xml).

I wrote a PowerShell script that munges the XML file and spits out a CSV file. This also filters out the down hosts. I find this easier to use in Excel than the XML file. Here's the script if anyone is interested.

# Define nmap input file
$NmapXMLFile = ".\nmap.xml"

# Initialize object array
$HostItems = @()

# Initialize index
$x = 0

# Load XML
[xml]$NmapXML = Get-Content $NmapXMLFile

# Loop through XML
ForEach ($HostNode in $NmapXML.nmaprun.host) {

  # Check host status
  If ($HostNode.status.state -eq "up") {

    # Create host object
    $HostObj = "" | Select-Object ID, Hostname, 'IP Address', 'MAC Address', Vendor

    # Store ID and increment index
    $HostObj.ID = $x += 1

    # Store hostname
    $HostObj.Hostname = $HostNode.hostnames.hostname.name

    # Loop through addresses
    foreach ($HostAddress in $HostNode.address) {

      # Check IP address
      If ($HostAddress.addrtype -eq "ipv4") {

        # Store IP address
        $HostObj.'IP Address' = $HostAddress.addr
      }

      # Check MAC address
      If ($HostAddress.addrtype -eq "mac") {

        # Store MAC address
        $HostObj.'MAC Address' = $HostAddress.addr

        # Store vendor
        $HostObj.Vendor = $HostAddress.vendor
      }
    }

    # Append host object to array
    $HostItems += $HostObj
  }
}

# Print host items
$HostItems

# Export host items to CSV
$HostItems | Export-CSV -NoType .\nmap.csv
Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
John Homer
  • 1,293
  • 10
  • 10
  • I tried the command above, and got the error `Scantype n not supported`. Apparently the flag `-sn` is not supported on Nmap 4.x. – Stefan Lasiewski Feb 08 '12 at 00:16
  • From the nmap 5.30BETA1 ChangeLog: – John Homer Feb 21 '12 at 16:06
  • 2
    Switched to -Pn and -sn and as the preferred syntax for skipping ping scan and skipping port scan, respectively. Previously the -PN and -sP options were recommended. This establishes a more regular syntax for some options that disable phases of a scan: -n no reverse DNS -Pn no host discovery -sn no port scan We also felt that the old -sP ("ping scan") option was a bit misleading because current versions of Nmap can go much further (including -sC and --traceroute) even with port scans disabled. We will retain support for the previous option names for the foreseeable future. – John Homer Feb 21 '12 at 16:16
  • So based on that, you *should* be able to use the '-sP' syntax in place of the newer '-sn' parameter. Unfortunately, I don't have a version of nmap4 to test with. – John Homer Feb 21 '12 at 16:16
4

From a Unix machine, listening to the no-OS computers on the same LAN, and if possible via a Hub (not a Switch), you can try

arp
cat /proc/net/arp

Also you may want to try wireshark (from a OS-ed machine). Again, better to use a Hub in order to catch any communications from the BIOS machines, including broadcasts.

Déjà vu
  • 5,408
  • 9
  • 32
  • 52
3
  1. View info on your switch / router, if switch is advanced enough .
    (In Cisco switches command is show mac-address-table).
  2. If machines have PXE enabled BIOS / Networking card, read info from DHCP logs, as they will try to get DHCP lease. If you do not have DHCP, just dump all broadcast traffic with Wireshark and filter DHCP traffic. All newly powered machines without OS will show in traffic.
Kristaps
  • 2,925
  • 16
  • 22
2

A very easy little trick you could do within 2 seconds is working with the fact that any operating system writes a table with the mac and IP address of any device it interacts with. This is known as ARP TABLE. So the question is how to force an interaction with all devices? You could simply ping the broadcast IP address. This is not perfect, since some devices or firewall could block ICMP ping request, but it works in many scenarios.

The commands are (in a ipv4 192.168.0.255 broadcast address):

ping 192.168.0.255

In Linux use:

ping -b 192.168.0.255

Wait a few seconds for devices to respond, then do:

arp -a

For IPV6 ping see Giedrius Rekasius comment

Not perfect, but no tools, no research, no waste of time, works in every major operating system and is quick.

  • I find it easier and more reliable to do such pings over IPv6 than over IPv4. An example command could look like this `ping6 -c2 -n ff02::1%wlan0`. One only need to update the name of the network interface to use, the IP address to use for that purpose is always `ff02::1` regardless of which network you are on. – kasperd Aug 03 '14 at 16:24
1

The basic problem here is that this is Layer 2 information, so only switches see it. Some switches will provide an interface that lets you peek at this info, but if they don't the only way to get it is to intercept in the physical layer, by eg installing a hub between the switch.

If you're using managed switches this information is likely available from the switch. Some end-user integrated routers/switches (such as the kind that often package ADSL modems as well) will sometimes have a DHCP client list which includes MAC addresses.

If you're using unmanaged switches, and you really want to know this info, I recommend you buy a hub, and temporarily replace the switch with it. You can then connect a computer running wireshark to the hub and capture ARP packets to record MAC addresses. Alternately you could use Echolot to do this for you - it selectively tracks ARP packets and builds a MAC address database.

imoatama
  • 337
  • 1
  • 5
  • Edit - just reread the part about them being BIOS only. This presents further challenges beyond the problem of intercepting the layer 2 data - the clients may not even send any data over the network. If the clients have a bios that does DHCP, or sends ARP packets out, it should be possible to see them from the switch. I'm not sure what BIOS editions support this, I know some do though. – imoatama Sep 01 '10 at 02:06
1

Scan the network with Nmap and then check the ARP table (arp -a in Linux distributions).

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
MihaiM
  • 708
  • 1
  • 8
  • 17
1

Here is a solution that worked for me:

  1. Enable network boot in BIOS. (E.g., set your network adapter to "Enabled with PXE")
  2. Boot the machine.
  3. The machine will attempt to boot from the network, showing you the MAC address in the process.
Igor Ostrovsky
  • 432
  • 4
  • 8
0

As others have said, if you have unmanaged switches, or BootP/PXE, there's no easy way to get the MACs of machines with no OS.

If your running machines are running windows, it's easy to script (usually via WMI)

There are a bunch of examples here: http://gallery.technet.microsoft.com/ScriptCenter/en-us/site/search?f[0].Type=SearchText&f[0].Value=MAC+address&x=0&y=0

gWaldo
  • 11,887
  • 8
  • 41
  • 68
0

I was going to suggest switch MAC address table, but someone's already covered that one above.

If any of the computers are running an OS and have an IP addresses, you can connect into the same LAN, you could use NMAP (or a GUI version like Zenmap) from http://nmap.org/... if you run this on the same LAN, you should get MAC address info for any machines that respond.

It would be useful to understand more about why you need to get the MAC addresses, in case there is a better way of achieving the same result.

Mitch Miller
  • 575
  • 3
  • 13
0

You can collect ARP information with for example a continuously running arpalert. With that, you will have the set of ARP addresses seen after start.

Powered off machines will not send you ARP replies.

To speed up the process, you can use an nmap ping scan (nmap -sP) on your network from the server you are running arpalert on, in order to trigger all possible (live and running) hosts to respond your arp query. With running nmap ping scan regularly later, you have better chances catching a shortly living host.

snippet from arpalert:

If the MAC is not in list, arpalert launches a pre-defined user script with the MAC address and IP address as parameters.

snippet from nmap:

Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing

Look around here:

asdmin
  • 2,020
  • 16
  • 28
0

I use : nmap -sP 192.168.1.1/24

( replace 192.168.1.1/24 with your IP range )

It will show you only the machines that are up and will give you something like :

[root@x ~]# nmap -sP 192.168.1.1/24
Starting Nmap 6.40 ( http://nmap.org ) at 2014-11-22 14:20 EST
Nmap scan report for 192.168.1.1
Host is up (0.0019s latency).
MAC Address: ZZ:ZZ:54:2E:E9:B4 (Unknown)
Nmap scan report for 192.168.1.33
Host is up (0.035s latency).
MAC Address: ZZ:ZZ:FA:2D:D7:D8 (Intel Corporate)
Nmap scan report for 192.168.1.254
Host is up (0.0020s latency).
MAC Address: ZZ:ZZ:31:02:98:19 (Asustek Computer)
Nmap scan report for 192.168.1.34
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.88 seconds

If you have no OS installed you can use a linux live cd, nmap is probably available in most of them

neofutur
  • 617
  • 9
  • 18