Windows

Quickly gather MAC addresses in Windows XP with ARP

You don't need to go from computer to computer to gather the MAC addresses of each client computer. Greg Shultz explains how to get into the ARP cache, and learn all the MAC addresses on your network.

When securing a wireless Windows XP network, in addition to using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) encryption, you can use Media Access Control (MAC) address filtering.

When you enable MAC address filtering, the wireless access point or wireless router verifies that the network card in the computer requesting access has a MAC address in its filter list before allowing the computer to access the network. This means that you must first obtain the MAC addresses of each client computer. To do so, you might think that you have to manually visit each computer and use the Getmac command.

An easier way to gather MAC addresses is to take advantage of the Address Resolution Protocol (ARP) command. Here's how:

  1. From one computer, use the Ping command to ping each of the other client computers that will connect to the wireless access point or wireless router.
  2. Type the ARP command along with the -a parameter:
    Arp -a

When used with the -a parameter, the ARP command displays the ARP cache, which stores the IP and MAC addresses of the computers that most recently accessed the system -- or in this case, those computers that responded to the Ping command.

Note: This tip applies to both Windows XP Home and Professional.

Miss a tip?

Check out the Windows XP archive, and catch up on our most recent Windows XP tips.

Stay on top of the latest XP tips and tricks with our free Windows XP newsletter, delivered each Thursday. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

55 comments
mtoney
mtoney

The most reliable way for you to get ALL mac addresses is to telnet to your switch and get the MAC table from your switch. As one person mentioned above if you are VLANing off, you will often have issues where a switch will block MAC addresses from being passed across VLANs. Also WINDOWS will only cache MAC addresses of machines it has contacted, so you will need to ping either by name (if you have NetBIOS on or DNS/WINS running) or IP address all IP addresses in your range. This can easily be batched as mentioned above. At that point the ARP cache will be populated for ten minutes. YOu can then issue the ARP -a and look at the MAC addresses. The idea in looking at Show ARP command on the switch which is valid on even unmanaged switched most of the time, is that ALL systems must register their MAC address for store and forward on the switch. Therefore, all MAC addresses will be present on the switch. The workstation will only have the MAC address in its arp cache if it has had reason to directly communicate with the system in question. This ARP -a caveat/switch goes away if you are on a hub as everything is broadcast across a hub and your workstation will in fact have all MAC addresses in the network in its ARP table. For those that want a WINDOWS software that will put your computer NIC in promiscuous mode and will gather data such as MAC address information outside of the switch port it is on, check out packetyzer from sourceforge.net. It uses winpcap as the framework and is an opensource sniffer. One of the most powerful open source sniffers in the world out there, and it works phenomenally. You cannot go wrong. Mirror your workstation switch port, and put your nic in promiscuous mode to capture all packets. Run packetyzer and set it to filter on MAC address by RARP. You will capture every MAC in just a few seconds no matter how large your network is. Check out http://sourcefore.net/packetyzer THE Engineer windowsmt60@hotmail.com

robert.taubert
robert.taubert

I tried ARP -a on Vista Ultimate. In addition to the expected mac addresses I got back several I didn't recognize. I have a wireless router but have wireless turned off because everything I use is wired. I even removed the antennas. All of my IP addresses start with 192.x.x.x so when I saw the following I began to wonder: 224.0.0.2 01-00-5e-00-00-02 Static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-00-00-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static Can anyone shed any light on where these might be coming from?????

Smart_Neuron
Smart_Neuron

Hi. I am using a "standalone" PC on an ISP with a Cable Modem. How do I actually identify the MAC for the PC Network Interface *and* the Cable modem? I tried GETMAC, (XP), but it does not tell me what device is what - any suggestions? Thanks - :0)

john
john

That will work in some cases but you may find it tedious to ping all the IPs that you want to resolve the MAC address. I have two alternates for your consideration. 1. If applicable use Windows Server DHCP server snap-in under leases. all the MACs are there, without pinging each computer. NOTE only works for the DHCP-enabled clients. 2.my favorite: third party program freeware. no installer no catches no malware. http://www.softperfect.com/products/networkscanner/ click on tje green IP button to set to your subnet and send me kudos latter ;) john@imcco.net P.S. you will find it usefull for much more than just MACs. it will let you FTP SNMP HTTP and show all windows file shares. Really cool

john
john

that will work in some cases but you may find it tedious to ping all the IPs that you want to resole the MAC address. I have two alternates for your consideration. 1. If applicable use Windows Server DHCP snap-in under leases. all the MACs are there, without pinging each computer. NOTE only works for the DHCP enable clients. 2.my favorite: third party program freeware. no installer no catches no malware. http://www.softperfect.com/products/networkscanner/ click on green IP button to set to your subnet and send me kudos latter ;) john@imcco.net P.S. you will find it usefull for much more that macs

brian.catt
brian.catt

Um, just try Spiceworks? Are you guys not overtechifying this? Why not just download and run Spiceworks Desktop? I was a techy but have been in recovery for many years in ICT business - so no detail knowledge but understand - and prefer/need whatever works quickly and simply. I run a small DHCP managed LAN of Macs and PCs and get the usual nonsense with things losing contact after disconnections- and I don't want to go through all the switching off and on BS, just update the broken network addresses. So I searched the web and found Spiceworks which does it all - picks up all your MAC addresses, node names , IP Addresses, equipment descriptions and even status messages for Ethernet connected devices - as well as doing an applications inventory. I know its a techy thing to make things unnecessarily obscure and be superior about it BUT life's too short for the rest of us - if you want a user friendly solution that lets you get on with real life, here is one for free, albeit a tad slow. I would expect the $$$ Pro version would suit the techy mainliners here better. Try it before you shout at me, be patient, its good but may not scale well. Awaiting incoming... Nothing to do with Spiceworks Brian Catt 01932 772731

SublimeDre
SublimeDre

Thanks for throwing the 'getmac' command out there. I've been in IT for years and never stumbled upon that one, always used 'ipconfig /all'. Just goes to show that old dogs can learn new tricks.

mike_flood
mike_flood

Use. . . ARP -a > C:\mac_addresses.txt File name can be anything you want as long as it ends in .txt

millete
millete

Here is a vbscript I have used to gather NIC information on every PC in my domain. Just replace the "WORKGROUP" with your domain name You must be an administrator on target PC's Dim strNetAdapt Set objDomain = GetObject("WinNT://workgroup")'

Marty R. Milette
Marty R. Milette

Much better to run something like Advanced Port Scanner on the subnet before running the ARP command -- this way you can detect 'rogues' connected to the network as well as not needing to know the names or ping individual stations. Keep in mind that you need to reduce the scope of the scan to make it fast -- the time-to-live on the ARP cache is pretty brief.

CameronY
CameronY

Neat - never knew of 'arp'. Neat way to gather MAC addresses across the network.

mmanolemeister
mmanolemeister

is there any way to make a ping to an entire subnet? instead of ping pc by pc?

subodhdubey4984
subodhdubey4984

First, Please give me the whole procedure of these method.

YetAnotherTechie
YetAnotherTechie

Tried it and it doesn't work. The "arp -a" command doesn't display what I've just pinged.

mstombs
mstombs

arp is old, real old - and used by anything that communicates over Ethernet - not limited to windoze try the same in Linux or OS-X, you may need "arp -n" to not convert the IP addresses to names! For Apple Mac OS 8.x/9.x, apparently the utility IPNetTuner can display the ARP cache of MAC addresses.

mikejparks
mikejparks

Good tip. Is there a similar 'trick' for the Mac OS? Mike

Neon Samurai
Neon Samurai

The discussion has gone around more than enough so briefly; stating that a wifi network can be secured by using WEP or Mac filtering on there own is somewhat missleading. WEP can be broken easily; five minutes if have some skills, longer if not.. but broken inevitably. If someone wants on your wifi, WEP isn't going to slow them down. If you have hardware that has to be on your wifi network and only supports WEP then you are limited otherwise, consider WEP dead. MAC filtering, is great but is not increasing your level of security. Stating that it should be used on it's own with no real security mechanism along side missleading. It's even easier to find and spoof a MAC address than it is to break a WEP key. MAC filtering is a good consideration to reduce the noise on your network since your router will only care about MAC it recognizes. In addition to real security mechanisms, it may even increase your level a little. Used on it's own provides no, NONE, increased level of security. WPA is the prefered minimum. Unless you are limited by hardware that has to be on your wifi network, use WPA at minimum. WPA2 is better. If youw want to use some MAC filtering along side; by all means. Just realize that WPA is the only lock keeping your front door closed. As for the actual focus of the article; a great tip. I've generally used heavier utilities to dump MAC lists but I do love being reminded of native support and functions. For me, it would be more of a "arp -a > maclist.txt". Running an ipconfig on each local machine sucks rocks if you have more than one or two. In the past, I've simply grabed the MAC off my router's connected clients list but this does inspire me to have a better look over arp.exe away from work's IDS. (first post)

Marty R. Milette
Marty R. Milette

Try ROUTE -PRINT on any IPV4 computer and you'll see similar results. The 239.x and 240.x addresses are for multicast, the 255.x address is the default for any routes not covered. Here are the IANA assignments for IPV4: http://www.iana.org/assignments/ipv4-address-space They no doubt have the same info for V6.

preetsingh
preetsingh

@randy.caoctoy Hi. I am trying to use nbtstat -a (ip) for getting MAC.


But observing that by nbtstat.

- we are not able to get MAC of Public IP.

- we are not able to get MAC of Linux based machines.


Plz suggest about two req.??


Regards,

Preet

gjadams
gjadams

Use the /V option with GETMAC, and it will tell you which interface has each MAC address. Format is getmac /V /S pcname. I have to use this to distinguish VMWare MAC addresses, as well as wired/wireless interfaces.

andereck
andereck

The premise of this article is that you are adding computers to a MAC filter list. You can't get the MAC address unless you are connected so this would only work if you haven't implemented the filter yet. Its a lazy situation. BGInfo might be a better tool and redirect output to an Access database so you call collect info at boot over a wires or wireless link. You don't have to worry about pinging each station first to build the cache either. As an aside you can set ip addresses via arp and ping on some APC UPS units and oth equipment. You first assign an IP address with arp and then ping that ip address with -L 113 to set the ip address on the UPS.

dave
dave

I have used Angry IP Scanner in the past, but this one does quite a bit more.

louis.slabbert
louis.slabbert

Thanks for the getmac command. Kind of neat. I prefer the ipconfig /all more since it displays the description of the device. If you have multiple Virtual interfaces on your machine the getmac output is less useful and quite confusing.

BernieG
BernieG

Keep in mind that this is ethernet related and it is only going to give you MAC addresses of devices in the local subnet (the first hop).

afgcons
afgcons

In Ireland, is it socially acceptable to talk to one's self in public?

brent
brent

Same command in the terminal on OS X: arp -a will show the MAC addresses for each IP With some configurations you can ping the broadcast address before you do arp -a to get all the addresses. On a 192.168.1.0 network, you could try to ping 192.168.1.255 to get all the addresses. You can find the broadcast address to ping with the command ifconfig. In the list of interfaces that show up, find the one you are connected to the network with and you will see a section that shows the broadcast address to ping. But again, this does not work under all setups.

Dumphrey
Dumphrey

Will try to find the link again it was off the aircrackng site (appropriately).

frederik_ferrell
frederik_ferrell

WEP is dead. You can't say it enough. I would like to add though that if you have WEP enabled devices on your network, set up a seperate VLAN for them. This would limit the ability for anyone that gets into that network from getting full access to the rest.

lewko98
lewko98

If your workstations are only connected by wired NIC's, when you ping the machine you are only going to get the wired NIC, not any wirless NIC installed. So the arp command will only give you the MAC of the wired NICs. But I am sure there are more uses for this idea.

kennerly.banks
kennerly.banks

REM My first example only worked for the first 99 IP's, but this one collects the whole subnet. Sorry, :) @echo off set MYSUBNET=10.242.67 FOR /L %%i IN (0,1,25) DO ( call :ONES %%i ) goto :EOF :ONES FOR /L %%j IN (0,1,9) DO ( ping %MYSUBNET%.%1%%j -n 2 -w 10 2>&1 > nul arp -a | findstr %MYSUBNET%.%1%%j ) goto :EOF

llam
llam

I usually just use nbtstat ?a ipaddress/hostname

robert.taubert
robert.taubert

Thank you for your reply. I had hoped it was something along those lines.

Smart_Neuron
Smart_Neuron

Hi. Thanks! Don't understand the /S switch, though. I will investigate :0)

skhan
skhan

Agree, but a script to know all NIC details on the Network is still better...

billballew
billballew

getmac on XP? I get the following message: "getmac is not recognized as an internal or external command, operable program or batch file" Is getmac a batch program or script than can be downloaded, and if so, from where? Also ipconfig does supply the physical address(mac is just slang for this) address.

The Altruist
The Altruist

Works on Windows, and *nix, and front-ends are easy to find if they aren't already packaged with it. I just now ran a scan of my network with Zenmap. Saved the scan (.USR), and out pops a gift-wrapped XML, suitable for reuse for any occasion. Now, tell me, how nice is that?

Dusterman
Dusterman

I have been concentrating the business in a narrow field lately and have only recently found a need for these types of programs. . I have found out that we need this, to expand our knowledge base. . Thank you for sharing . . Mike

kaashif.junk
kaashif.junk

This is the one I use to find unused IP addresses in my network. You can specify a range of IPs to scan, and it shows you the MAC addresses of the IPs that are in use as well as a list of IPs (denoted by an "invalid" or 00:00:00:00:00:00) that are not being used. @echo off IF [%3]==[] goto syntax for /l %%i in (%2,1,%3) do (@echo Trying IP %1.%%i ping -n 1 -l 1 -w 2 %1.%%i > nul arp -a | findstr /c:"%1.%%i" >> temp.lst) @echo Used IPs findstr dynamic temp.lst @echo Available IPs findstr invalid temp.lst del temp.lst goto :eof :syntax @echo. @echo Usage: arpping net_address first_address last_address @echo eg. arpping 172.16.1 1 254 @echo.

billballew
billballew

Afer reading some more, someone posted the MS location to download the program. Not a native XP program, part of Windows 2000 resource kit. Hmmm - thanks - b

Sundaram Ramanujam
Sundaram Ramanujam

Go to the command prompt. CMD and then type hostname. This command will show the pc name.

Tad Diego
Tad Diego

Thanks, I just tried it and it works like a charm. Both of you have added a new tool to my arsenal...

NickNielsen
NickNielsen

ping the device. If your network is set up appropriately, the ping will return the device name.

skhan
skhan

How to get the pc name for windows based pcs? Thank you.

NickNielsen
NickNielsen

The command line syntax is: [pre]arpping net_address first_address last_address[/pre] Where: net_address = the first three octets of the local subnet first_address = the first address you wish to search last_address = the last address you wish to search So to search all the subnet at 10.20.30, your input would be: [pre]arpping 10.20.30 1 254[/pre]

Tad Diego
Tad Diego

I'd like to try your file, but I can't figure out what input is needed? A file full of IP addresses? A network range? What do you actually type at the command line?

Editor's Picks