Getting an IP's MAC address from behind a router

Question

I want to know, if possible, how to get a MAC address of an IP address if I am behind a router.

I tried doing a ping to the IP and checking the arp table, but the only entry is the router's MAC.

Any ideas?

Thanks for reading.

Answer 1

MAC addresses do not get passed on by routers. You need to look at the router's ARP table.

Edit:

Unless you have some other form of access to the machine, yes, it is impossible. If you can get onto the network it's on (VNC, RDP, SSH), then you can do it, but otherwise no.

If you're router doesn't give you the ARP table on its web interface, you could see if you can telnet in : many home routers have more advanced functions they hide from the web interface.

Answer 2

It cannot be guaranteed that you can see MAC address of machines behind a router. But there are some protocols that may help you in finding MAC address from anywhere in network. For example to find MAC address of a Windows PC on other network when you know its IP address you can use command

nbtstat -A <IP Address>

To do the same thing from Linux machine (with samba installed) use command

nmblookup -R -S -A <IP Address>

If the machine in question is not a windows machine and there is no way to become part of other subnet. Then the only options are seeing MAC address table in router, or if there is common network wide DHCP server then you can see MAC address in DHCP logs. But I guess you have to be administrator for accessing router or DHCP server.

Hence if there are lot of windows machines on your network you can find MAC address for them even when are not in their subnet. But if network has lot of Linux machines then there is no good very common way to find MAC from other networks.

The above technique wont work on Linux samba servers. They will always return MAC address as 00-00-00-00-00-00.

Answer 3

If the IP in question is not on a directly connected subnet of the router, then the MAC won't be in your router's ARP table.

ARP is only visible / relevant for the last hop of a IP connection (layer 2). Everything between the first routing entity and the last routing entity is layer 3, which doesn't use the ARP of the source or destination entities, but rather the ARP of the next directly-connected routing entity.

Answer 4

I think what you want to know is --

How can you find the MAC for a particular IP(machine) which is not the part of your subnet?

For the all the machines/IPs on your subnet the IP-MAC table is stored in ARP Cache, locally on your machine. This is the same cache which give "IP resolution conflicts". do a simple

$ arp -a | grep particularIP

Now for the machine outside your subnet -- there is no standard of the shelf application which does that, i tried to think if any ICMP message can do it, but as of now i think there is none. Well the way networking, rather layering is designed, this is a deliberately unwanted behavior. To escape or remove the information which is relevant to layers below the present, and as we across the networks IP is used, so no MAC.

See if you have cooperation at the other machine, you can write a small app, which encapsulates the the mac header and sends to you... ofcourse if u have cooperation from the other machine, why this much of effort a simple ifconfig -a does the job, that to for all the interfaces on that machine.

Answer 5

You can only "see" mac addresses of hosts that are on in the same subnet. Then, you can list all mac addresses using the arp command:

arp -a

or for a single IP address:

arp -a 192.168.0.1

Answer 6

If you have any access to the remote PC, or any PC on the remote network, you could use WMI or run various apps to give you the MAC address. I can't think of any other way you'd get the MAC address.

JR

Answer 7

Do you know the device's manufacturer? If so, you may be able to get part of the MAC.

http://aruljohn.com/mac.pl

The only other thing I can think of is vxlan but I'm sure it would be more difficult to set that up than to just get access to the router which would have the MAC directly.

https://www.rfc-editor.org/rfc/rfc7348

Answer 8

Well as told by the folks in the other answer, ARP is a layer two protocol ans is not routable so scanning in conventional methods will not give you back MAC addresses. example

nmap -sn target

will only give MAC addresses of devices that are on the same network segment. There are two nmap scripts that use helpers such nbtstat and snmp

NBTSTAT this requires the UDP port 137 to be open on the target the nmap command is

nmap -sU --script nbtstat.nse -p 137 target

SNMP this protocol has to be functioning, it's port open, to give us any info about the MAC of the target. Also UDP port 161

nmap -sU -p 161 --script=snmp-interfaces target

IPV6 addresses this works on retrieving MAC from IPv6 or similar (teredo, 6to 4, etc) addresses. I've only tried it on IPv6 address that have part of the mac on them

nmap -sV -sC target

(this is the command from nmap https://nmap.org/nsedoc/scripts/address-info.html) but when testing it (on internal fe80 hosts), it required a -6 so

nmap -sV -sC -6 target 

Answer 9

Try namp Intense Scan: nmap -T4 -A -v IP-address

Answer 10

i don't know about router but if you have ip address you can use nmap to obtain mac address even in your local host you can do it as well so why the hell are you want obtain that from router or some thing like that ? if your os is linux you can use macchanger or lots of other apps so i have no idia why you want do this like that.