On Thursday, July 3, 2003, at 1:02 PM, ChuckS wrote:
True however "LexmarkI_6c:48:82" is enough of a clue as to
the device type and each of the printers also talk TCP/IP.
I hoped there is a means to cross reference for each printer's
IP within a recorded capture.
By "cross reference for each printer's IP within a recorded capture" do
you mean "by using only data from a recorded capture, determine the
printer's IP given its MAC address", or do you mean "have Ethereal use
some mechanism to translate a MAC address to an IP address so that it
can show you, in a capture, the IP address corresponding to a MAC
address *even if there isn't enough data in the capture to determine
that*"?
In the former case, you could try using the *display* filter
ip && eth.addr == 00:04:00:6c:48:82
which will show you all IP packets to or from that host. If it's from
that host, look at the IP source address; if it's to that host, look at
the IP destination address.
In the latter case, there is no mechanism of that sort that's
guaranteed to work.
A Reverse ARP request asking for the IP address for 00:04:00:6c:48:82
would work only if there's a Reverse ARP server to which you can send
that request (either by knowing its MAC address or by it being on the
local subnet so that you can broadcast the request) that happens to
know the IP address corresponding to that MAC address.
A NetBIOS-over-TCP request *might* work if you could send it as a
unicast MAC-layer packet with a broadcast IP address and have the
printer respond - and if the printer does NetBIOS-over-TCP, which I
suspect it might do in order to support Windows clients.
If that MAC address is in whatever database "ether_ntohost()" supports,
and the machine has that routine, and if the name that returns has the
IP address of the printer associated with it, a program to translate
the Ethernet address to a host name and translate the host name to an
IP address would work.
Ethereal doesn't do any of those (it can sort of do the latter, but it
would do so only if that IP address actually appeared in the capture,
and the only database it uses for the MAC address lookup is an "ethers"
file on the machine itself).
Your best effort would be to filter for all traffic from
00:04:00:6c:48:82 and lok for IP packets.
When I enter 00:04:00:6c:48:82 into the Capture / Filter field.
The error displays: "Unable to parse filter string (parse error)."
Then you shouldn't just enter 00:04:00:6c:48:82 into that field, as
it's not a valid capture filter. The valid capture filter is, as per
the tcpdump man page, "ether host 00:04:00:6c:48:82":
ether host ehost
True if either the ethernet source or destination
address
is ehost.
The display filter is, as per the example near the top (and as per the
Ethereal man page) "eth.addr == 00:04:00:6c:48:82".