SUMMARY: Reverse-ARP

From: Rodney Wines (rodney.wines@ahqps.alcatel.fr)
Date: Thu Aug 07 1997 - 07:50:59 CDT


Thanks for the many helpful responses.

Original question:

> Does anyone have a method (preferably automated) to translate from a MAC
> address to an IP address? I seem to remember when I used Ultrix many years
> ago that there was a "rarp" command. I can't find this on either Solaris
> 2.5.1 or HP-UX 10.10, although I did find information abour in.rarpd for
> Solaris. However, in.rarpd doesn't help me, because it requires the
> existance of an /etc/ethers file, and if I had that, I'd not need rarp ...

> I can do an "arp -a", and see the arp cache, but that doesn't contain
> enough addresses to be useful. In any event, I don't THINK that
> areverse-ARP would work except for nodes on my local Ethernet segment, so
> a solution would proabably have to involve my Cisco routers. I can do an
> ARP for every node on my network, and build a table myself, but I can't
> see MAC addreses except for those on the segment from which the ARP
> command is run.

I got quite a few responses on this one, and quite a few different ideas.
Several people suggested just doing a "ping" to the broadcast address, then
an arp -a. Others suggested various tools such as snoop and arpwatch. Of
the suggestions of this type, the one I liked the best was from Leo Crombach
<lcrombach@tropel.com>: "I use the following script to accomplish this
task:"

#!/bin/sh

i=0
while [ "$i" -lt 255 ] ; do
        i=`expr $i + 1`
        ping "199.25.234.$i" > /dev/null
        arp 199.25.234.$i
done

This fits in quite well with what I'm already doing, because I have a Perl
script that pings all my network nodes periodically anyhow.

However, all these approaches have one shortcoming. I was right about the
fact that I can't see MAC addresses except for nodes on my local segment.
However, Michael Maciolek <mikem@centerline.com> had a workable solution:

> The easiest thing to do is get the arp cache directly from your router. If
> you have several routers, do the same for all of them. For a cisco
> router, telnet into the router and do:

> router1> term no len
> router1> show arp

> The "term no len" turns off page-breaks, which is good if you're writing
> an 'expect' script to automate the process. You get the whole arp cache
> in one stream without having to hit the space bar after each screenful.

> Obviously, this only gives you the entries that are in the router's
> cache; cache entries expire after some configurable period of
> time...default is 4 hours on my Cisco running an old 9.1 release; your
> mileage may vary. I'd suggest collecting your data in the middle of the
> workday, so the greatest number of cache entries will still be valid.

This will do the trick. The only disadvantage is that I won't see the
address if it isn't in the cache, so I'll have to ping all the nodes before
I dump the cache so that the cache will be up to date.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:00 CDT