Discussion on:

Quickly gather MAC addresses in Windows XP with ARP

The discussion has gone around more than enough so briefly; stating that a wifi network can be secured by using WEP or Mac filtering on there own is somewhat missleading.

WEP can be broken easily; five minutes if have some skills, longer if not.. but broken inevitably. If someone wants on your wifi, WEP isn't going to slow them down. If you have hardware that has to be on your wifi network and only supports WEP then you are limited otherwise, consider WEP dead.

MAC filtering, is great but is not increasing your level of security. Stating that it should be used on it's own with no real security mechanism along side missleading. It's even easier to find and spoof a MAC address than it is to break a WEP key.

MAC filtering is a good consideration to reduce the noise on your network since your router will only care about MAC it recognizes. In addition to real security mechanisms, it may even increase your level a little. Used on it's own provides no, NONE, increased level of security.

WPA is the prefered minimum. Unless you are limited by hardware that has to be on your wifi network, use WPA at minimum. WPA2 is better. If youw want to use some MAC filtering along side; by all means. Just realize that WPA is the only lock keeping your front door closed.

As for the actual focus of the article; a great tip. I've generally used heavier utilities to dump MAC lists but I do love being reminded of native support and functions. For me, it would be more of a "arp -a > maclist.txt". Running an ipconfig on each local machine sucks rocks if you have more than one or two.

In the past, I've simply grabed the MAC off my router's connected clients list but this does inspire me to have a better look over arp.exe away from work's IDS.

(first post)

I usually just use

nbtstat ?a ipaddress/hostname

REM My first example only worked for the first 99 IP's, but this one collects the whole subnet. Sorry,

@echo off

set MYSUBNET=10.242.67
FOR /L %%i IN (0,1,25) DO (
call :ONES %%i
)
goto :EOF

:ONES

FOR /L %%j IN (0,1,9) DO (
ping %MYSUBNET%.%1%%j -n 2 -w 10 2>&1 > nul
arp -a | findstr %MYSUBNET%.%1%%j
)
goto :EOF

This is the one I use to find unused IP addresses in my network. You can specify a range of IPs to scan, and it shows you the MAC addresses of the IPs that are in use as well as a list of IPs (denoted by an "invalid" or 00:00:00:00:00:00) that are not being used.

@echo off
IF [%3]==[] goto syntax

for /l %%i in (%2,1,%3) do (@echo Trying IP %1.%%i
ping -n 1 -l 1 -w 2 %1.%%i > nul
arp -a | findstr /c:"%1.%%i" >> temp.lst)

@echo Used IPs
findstr dynamic temp.lst

@echo Available IPs
findstr invalid temp.lst

del temp.lst

goto :eof

:syntax
@echo.
@echo Usage: arpping net_address first_address last_address
@echo eg. arpping 172.16.1 1 254
@echo.

I'd like to try your file, but I can't figure out what input is needed? A file full of IP addresses? A network range? What do you actually type at the command line?

The command line syntax is:

arpping net_address first_address last_address

Where:
net_address = the first three octets of the local subnet
first_address = the first address you wish to search
last_address = the last address you wish to search

So to search all the subnet at 10.20.30, your input would be:

arpping 10.20.30 1 254

Thanks, I just tried it and it works like a charm. Both of you have added a new tool to my arsenal...

How to get the pc name for windows based pcs? Thank you.

ping the device. If your network is set up appropriately, the ping will return the device name.

Go to the command prompt. CMD and then type hostname. This command will show the pc name.

Nice stuff. Let me check

If your workstations are only connected by wired NIC's, when you ping the machine you are only going to get the wired NIC, not any wirless NIC installed. So the arp command will only give you the MAC of the wired NICs. But I am sure there are more uses for this idea.

WEP is dead. You can't say it enough. I would like to add though that if you have WEP enabled devices on your network, set up a seperate VLAN for them. This would limit the ability for anyone that gets into that network from getting full access to the rest.

Good tip.
Is there a similar 'trick' for the Mac OS?
Mike

Same command in the terminal on OS X: arp -a will show the MAC addresses for each IP

With some configurations you can ping the broadcast address before you do arp -a to get all the addresses. On a 192.168.1.0 network, you could try to ping 192.168.1.255 to get all the addresses. You can find the broadcast address to ping with the command ifconfig. In the list of interfaces that show up, find the one you are connected to the network with and you will see a section that shows the broadcast address to ping.

But again, this does not work under all setups.

garbage.

arp is old, real old - and used by anything that communicates over Ethernet - not limited to windoze try the same in Linux or OS-X, you may need "arp -n" to not convert the IP addresses to names!

For Apple Mac OS 8.x/9.x, apparently the utility IPNetTuner can display the ARP cache of MAC addresses.

Tried it and it doesn't work. The "arp -a" command doesn't display what I've just pinged.

First, Please give me the whole procedure of these method.

is there any way to make a ping to an entire subnet? instead of ping pc by pc?

You can use nmap (http://nmap.org/).

I have been concentrating the business in a narrow field lately and have only recently found a need for these types of programs.
.
I have found out that we need this, to expand our knowledge base.
.
Thank you for sharing .
.
Mike

Works on Windows, and *nix, and front-ends are easy to find if they aren't already packaged with it.

I just now ran a scan of my network with Zenmap. Saved the scan (.USR), and out pops a gift-wrapped XML, suitable for reuse for any occasion. Now, tell me, how nice is that?

Neat - never knew of 'arp'.
Neat way to gather MAC addresses across the network.

Much better to run something like Advanced Port Scanner on the subnet before running the ARP command -- this way you can detect 'rogues' connected to the network as well as not needing to know the names or ping individual stations.

Keep in mind that you need to reduce the scope of the scan to make it fast -- the time-to-live on the ARP cache is pretty brief.

Here is a vbscript I have used to gather NIC information on every PC in my domain. Just replace the "WORKGROUP" with your domain name

You must be an administrator on target PC's


Dim strNetAdapt


Set objDomain = GetObject("WinNT://workgroup")' -------------Replace workgroup With your domain name
objdomain.filter=array("Computer")


for each objcomputer in objDomain

strComputer= objcomputer.name

WScript.Echo strComputer

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_NetworkAdapterConfiguration where ipenabled=true") '--- if not using WINS remove 'and winsprimaryserver IS NOT NULL' statement
For Each objItem In colItems
Wscript.Echo "-----------------------------------------------------------------------"
Wscript.Echo "Win32_NetworkAdapterConfiguration instance for: "&strComputer
Wscript.Echo "-----------------------------------------------------------------------"
WScript.Echo "macadd: " & objitem.macadress
WScript.Echo "Caption: " & objItem.Caption
Wscript.Echo "DatabasePath: " & objItem.DatabasePath

Wscript.Echo "Description: " & objItem.Description
Wscript.Echo "DHCPEnabled: " & objItem.DHCPEnabled
Wscript.Echo "DHCPLeaseExpires: " & dConvertWMItoVBSDate (objItem.DHCPLeaseExpires)
Wscript.Echo "DHCPLeaseObtained: " & dConvertWMItoVBSDate(objItem.DHCPLeaseObtained)
Wscript.Echo "DHCPServer: " & objItem.DHCPServer
Wscript.Echo "DNSDomain: " & objItem.DNSDomain
strDNSDomainSuffixSearchOrder = Join(objItem.DNSDomainSuffixSearchOrder, ",")
WScript.Echo "DNSDomainSuffixSearchOrder: " & strDNSDomainSuffixSearchOrder
Wscript.Echo "DNSEnabledForWINSResolution: " & objItem.DNSEnabledForWINSResolution
Wscript.Echo "DNSHostName: " & objItem.DNSHostName
strDNSServerSearchOrder = Join(objItem.DNSServerSearchOrder, ",")
Wscript.Echo "DNSServerSearchOrder: " & strDNSServerSearchOrder


strIPAddress = Join(objItem.IPAddress, ",")
Wscript.Echo "IPAddress: " & strIPAddress

strIPSubnet = Join(objItem.IPSubnet, ",")
Wscript.Echo "IPSubnet: " & strIPSubnet
Wscript.Echo "MACAddress: " & objItem.MACAddress
Wscript.Echo "WINSPrimaryServer: " & objItem.WINSPrimaryServer

WScript.Echo "WINSSecondaryServer: " & objItem.WINSSecondaryServer
WScript.Echo "_________________________________________________________________________________________"

Next


Next

Use. . .

ARP -a > C:\mac_addresses.txt

File name can be anything you want as long as it ends in .txt

Thanks for throwing the 'getmac' command out there. I've been in IT for years and never stumbled upon that one, always used 'ipconfig /all'. Just goes to show that old dogs can learn new tricks.

Thanks for the getmac command. Kind of neat.

I prefer the ipconfig /all more since it displays the description of the device.

If you have multiple Virtual interfaces on your machine the getmac output is less useful and quite confusing.

getmac on XP? I get the following message: "getmac is not recognized as an internal or external command, operable program or batch file" Is getmac a batch program or script than can be downloaded, and if so, from where? Also ipconfig does supply the physical address(mac is just slang for this) address.

Afer reading some more, someone posted the MS location to download the program. Not a native XP program, part of Windows 2000 resource kit. Hmmm - thanks - b

Seems to be native

Um, just try Spiceworks? Are you guys not overtechifying this? Why not just download and run Spiceworks Desktop? I was a techy but have been in recovery for many years in ICT business - so no detail knowledge but understand - and prefer/need whatever works quickly and simply. I run a small DHCP managed LAN of Macs and PCs and get the usual nonsense with things losing contact after disconnections- and I don't want to go through all the switching off and on BS, just update the broken network addresses. So I searched the web and found Spiceworks which does it all - picks up all your MAC addresses, node names , IP Addresses, equipment descriptions and even status messages for Ethernet connected devices - as well as doing an applications inventory. I know its a techy thing to make things unnecessarily obscure and be superior about it BUT life's too short for the rest of us - if you want a user friendly solution that lets you get on with real life, here is one for free, albeit a tad slow. I would expect the $$$ Pro version would suit the techy mainliners here better.

Try it before you shout at me, be patient, its good but may not scale well. Awaiting incoming...

Nothing to do with Spiceworks

Brian Catt
01932 772731

http://www.microsoft.com/downloads/details.aspx?FamilyID=00735a58-e6a8-4a8a-a23e-85b2ba7ccbf5&DisplayLang=en
Works with XP [and later...]

that will work in some cases but you may find it tedious to ping all the IPs that you want to resole the MAC address. I have two alternates for your consideration.

1. If applicable use Windows Server DHCP snap-in under leases. all the MACs are there, without pinging each computer. NOTE only works for the DHCP enable clients.

2.my favorite: third party program freeware. no installer no catches no malware.
http://www.softperfect.com/products/networkscanner/

click on green IP button to set to your subnet and send me kudos latter john@imcco.net

P.S. you will find it usefull for much more that macs

That will work in some cases but you may find it tedious to ping all the IPs that you want to resolve the MAC address. I have two alternates for your consideration.

1. If applicable use Windows Server DHCP server snap-in under leases. all the MACs are there, without pinging each computer. NOTE only works for the DHCP-enabled clients.

2.my favorite: third party program freeware. no installer no catches no malware.
http://www.softperfect.com/products/networkscanner/

click on tje green IP button to set to your subnet and send me kudos latter john@imcco.net

P.S. you will find it usefull for much more than just MACs. it will let you FTP SNMP HTTP and show all windows file shares.

Really cool

I have used Angry IP Scanner in the past, but this one does quite a bit more.

LanSpy is another great utility for capturing the MAC address and lots, lots more.

Also freeware - http://lantricks.com/lanspy/

Hi.

I am using a "standalone" PC on an ISP with a Cable Modem. How do I actually identify the MAC for the PC Network Interface *and* the Cable modem?

I tried GETMAC, (XP), but it does not tell me what device is what - any suggestions?

Thanks - :0)

Use the /V option with GETMAC, and it will tell you which interface has each MAC address. Format is getmac /V /S pcname. I have to use this to distinguish VMWare MAC addresses, as well as wired/wireless interfaces.

nbtstat -a (ip) u will get the mac of it