["McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>]

There are several answers to this question.  (This post doesn't rightly
belong on the list either, but again, it relates to *interpreting* packet
traces, so I suppose we can address it anyway...)
 
If you just want the IP address associated with that MAC address, look in
your router's ARP table (you can also look in your workstation's ARP table).
If your router supports SNMP, query the MIB "ipNetToMediaPhysAddress" and
look for that MAC address.  The IP address will be the last four digits of
the instance number.
 
Suppose, though, that you don't have a router, or you don't find the MAC
address in the router's ARP table, or the device isn't running IP in the
first place (or isn't running IP properly, such as a machine with a bad DHCP
implementation).  Fine.  As someone else suggested, you can probably look in
the forwarding tables on your switches (SNMP MIB "dot1dTpFdbPort" - you'll
have to convert the MAC address to decimal to match against the instance
number, or just query the dot1dTpFdbEntry table if you've got a MIB browser
that will show you the results in tabular form).
 
Even if you only have a hub, if it's got any intelligence or management on
it, it probably knows what port has that MAC address attached to it (if it
was the last source address, SNMP MIB "rptrAddrTrackNewLastSrcAddress" -
also try without the 'New').
 
If both of those don't work, you may just have to go to each station on your
network and look at the network cards.  This might not be a bad idea (for a
smallish network) anyway, since it's often good to have documentation about
your network.  Get as much as possible from the routers and switches, then
get the rest by hand.  The packet captures you took that made you curious
about this MAC address in the first place should give you some idea of what
kind of device it is (is it running IP? Spanning Tree?  AppleTalk?  Sending
out SNMP queries in the HP MIBs?).
 
Commands to get the MAC address from workstations:
 
Unix:
 
ifconfig
ifconfig -a
ifconfig eth0
ifconfig en0
ifconfig ec0
ifconfig fxp0
ifconfig le0
[the list goes on]
arp -an
 
Different versions of unix use different forms of the ifconfig command, and
call the Ethernet (or other network) devices by different names.  Ifconfig
by itself or 'ifconfig -a' ought to give you everything about all of the
interfaces on just about any unix flavor, though, so try that first.
Remember that the ifconfig command may not be in your path unless you're
root.  Try /sbin/ifconfig if just plain ifconfig doesn't work.  The arp
command may be able to match up your own IP with your MAC address if
ifconfig doesn't work for you.  You can also get other machines MAC
addresses this way.
 
 
Windows 9x:
 
winipcfg
arp -a
nbtstat -A [IP address]
 
Believe it or not, a Windows box can give you the MAC address of any machine
reachable via NetBIOS by using nbtstat, even across multiple router hops.
Again, nbtstat and arp are useful for getting MAC addresses for other
machines.
 
 
Windows NT/2000:
 
ipconfig /all
arp -a
nbtstat -A [IP address]
 
Same deal, except there's no 'winipcfg'.
 
 
Macintosh (using Open Transport):
 
Apple Menu -> Control Panels -> TCP/IP (the AppleTalk control panel also
works for this).
In the TCP/IP control panel, hit Cmd-I (or go to Get Info from the Edit
menu, I think).  A dialog box should show up with your MAC address.
 
 
Macintosh (using Classis Mac Networking):
 
Not only is there no way that I know of (sort of third-party programs) to
get the MAC address, to *really* ought to just upgrade any box running
Classic Mac Networking.
 
 
Macintosh (running OS X):
 
Haven't seen one yet.  Anybody know about this?
 
--J

-----Original Message-----
From: Tony Wong [mailto:twong@xxxxxxxxxxxxxxxxxxx]
Sent: Monday, June 18, 2001 11:32 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Where to find machine with mac address on network


When I capturing packets with ethereal, I get a lot of MAc addresses both in
the source and destination. Where can i find what machine this mac address
is on on my network?
 
Also why does the source and destination changes : some ip addresses and
some mac addresses?
 
Thanks