Wireshark-users: Re: [Wireshark-users] newbie MAC->IP question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 19 Jun 2010 12:47:20 -0700
On Jun 18, 2010, at 7:22 AM, János Löbb wrote:

> Looking the Ethernet traffic I see the routers and switches with their ethernet/MAC address.  However they do not show up in the IP traffic.  When I look the Ethernet frame, I again see the MAC address, but I do not see its IP address.

I.e., a packet from or to a router or switch has the source IP address of the machine that ultimately sent it, not the IP address of the router?  (That is, of course, as it should be.)

> Can Wireshark - or any other program on a Mac - translate a MAC address into an IP ?

There isn't necessarily a permanent mapping between a MAC address and an IP address; a machine might, for example, be using DHCP, and, if it renews a DHCP lease, it might get a different IP address from the one it had before.

That's not likely to happen for a router - but the only way to find out a router's IP address, given its MAC address, would be to either

	1) ask the network administrator what IP address is assigned to the router with an interface with a given MAC address;

	2) send out a Reverse ARP packet, asking what the IP address is for the given MAC address, and hope somebody responds;

	3) hope that some file on your machine has that mapping, or that some network service offers that mapping.

> I looked at man arp, but I do not see it there either and arp -a do not show the router.

"arp -a" will show the IP-to-MAC-address mappings your machine has; if your machine isn't routing traffic through that router, or otherwise communicating with that router, it won't need, and thus probably won't have, an ARP entry for that router.  (If your machine isn't plugged into a network into which that router is also plugged, it almost certainly won't have it.)

> P.S.  How can I capture only routers and Switch traffic and ignore all the workstations and vice versa  ?

You'd have to construct a capture filter that looks for the MAC addresses of the machines whose traffic you want to capture, and doesn't mention the MAC addresses of the machines whose traffic you don't want to capture.