locked
Getting the IP adress from a MAC adress

    Question

  •  

    Hello everyone!


    Basically its just one question, I got a MAC-adress and I want his/her IP-adress.

    Lets say I got the MAC "0000EAA7B5FF" and I want to convert it to 192.168.0.1 or whatever the adress is Smile

     

    I know that this is implemented with the ARP protocol but is there any built in function in C# that can do this for you?

     

    Thanks

     

    /David

     

    Wednesday, August 08, 2007 1:02 PM

All replies

  • With TCP/IP one needs to be able to convert a TCP/IP address to the MAC Address of the machine with that address.  That's what ARP is for.  There isn't a simple equivalent that converts from a MAC Address back to an IP Address -- there's no general need for such an operation...
    Wednesday, August 08, 2007 4:07 PM
  • Of course it can be done, the thing is that I need to send out a broadcast to all machines and ask them whos got a specified MAC adress and this is done with the ARP protocol.

    Because if I know what machine has a specified MAC I also know its IP.

    /David
    Wednesday, August 08, 2007 5:53 PM
  • A MAC address never changes, it is built into the network adapter and is completely independent of the computers IPAddress.  There is no "converting" a MAC address to an IPAddress, or from an IPAddress.
    Thursday, August 09, 2007 5:11 PM
  • As you said, there is no direct/fixed connection between an IP and a MAC address... But MAC addresses can be changed (even in software... I believe that it's supported since windows 2000...)

    And yes, there are ways for communcation between level2 <-> level3 protocols... ARP would be the most widely used one to lookup MAC addresses that belong to an IP and vice-versa... (Windows does have an arp.exe command, but unlike my linux machine, i haven't found a rarp.exe.. In the IPHLPAPI.DLL i've found a method SendARP that will lookup the MAC for a given IP, but haven't seen something that does the reverse )
    Thursday, August 09, 2007 10:16 PM
  •  

    I think you are missing what I want to do or maybe I'm not clear enough. I know that the MAC doesnt change and I know how ARP works Smile

     

    I have a MAC adress from a computer somewhere on the network. What I want to do now is to broadcast a message "WHO HAS XXXX TELL YYYY" as ARP does.

     

    This is all I want to do.

     

    Is there any way to use ARP in C# to do this? And returning the IP adress to my program.


    Do you get me? Smile

     

     

    /David

    Friday, August 10, 2007 7:15 AM
  • Well...  I state again, ARP is used to convert an IP Address *to* a MAC Address.  It is /not/ for converting a MAC Address to an IP Address.

     

    Stevens / TCP/IP Illustrated, Volume 1 -- The Protocols:

    "ARP provides a dynamic mapping from an IP address to the corresponding hardware address."

     

    Perlman / Interconnections:

    "ARP: This is a message sent to the data link layer broadcast address indicating a network layer address for which the transmitter seeks a corresponding data link layer address."

     

    Huitema / Routing in the Internet:

    "ARP ... the target's hardware address is indeed unknown when the request is sent ..."

     

    RFC 826 -- An Ethernet Address Resolution Protocol:

    "Presented here is a protocol that allows dynamic
    distribution of the information needed to build tables to
    translate an address A in protocol P's address space into a
    48.bit Ethernet address
    ."

     

    Even wikipedia:

    "... standard method for finding a host's hardware address when only its network layer address is known."

     

    If you know some way to magically have ARP reverse its role and do the opposite mapping operation then show us the binary content of the ARP packet which would accomplish that.  We can then see if there's a Windows API to effect that.

     

    As Karthikeya said the only useful way of using ARP for this is to hope that the local device has been communicating with the device with that MAC Address, one can then look in the ARP cache for that entry.  One might have a better chance of finding the device by looking in the router's ARP cache table.

     

     

    On other subjects...  "converting" well what term would you prefer, "find the mapping to"?  "ARP is used to find the mapping to MAC Address for an IP Address", yikes!.  On RARP, well I wondered when it would be mentioned.  RARP was a predecessor to DHCP.  When diskless workstations were common it was used, one server machine (with a hard disk!) was configured with a list of what IP Addresses to give to what diskless workstations.  It has *no* other use to that address assignment role.  Stevens: "RARP is used by systems without a disk drive (...) but requires manual configuration by the system administrator."  BTW the ethertype for ARP is 0x0806, and for RARP 0x8035.

    Saturday, August 11, 2007 12:29 PM
  • I know that ARP is used for getting what computer has a specified IP. But if you can broadcast a message to all known computers within the network and read the answer then you will know what computer has a specific IP and MAC because you will get an answer back. So my question once again is, how do I send ARP messages and how do I read them using C#.

     

    ex

     

    question: WHO HAS FAFAFAAF TELL 192.168.0.1

     

    answer: I HAVE FAFAFAAF !!!

     

    Then you will know from reading the socket what IP hes got and this is what I want to do.

     

     

    Do you understand? Smile

     

     

    thanks

     

    /David

     

     

    Tuesday, August 14, 2007 6:32 AM
  • I give up.  You seems to be utterly stubborn, or unable to read... :-(

    Tuesday, August 14, 2007 7:08 PM
  • Well,

    to put it simply :

    1 - There is no link between the Mac address and the IP address assignation. It's a task that is done by the DHCP server or by the computer itself that fix his own IP address (by user or automaticaly).

    2 - you can comunicate with everyone by many possibilities. The most simple is broadcast. You send UDP data thru the ultimate ip allowed to your ip pool eg : ip 192.168.0.144 submask 255.255.255.0 the broadcast address is 192.168.0.255 if the submask was 255.255.255.1 the broadcast address would be 192.168.0.254 (this is a binary filter, I suggest to seek info about subnet mask). Other possibility is the multicast (but each client must connect to the multicast address and you must have a switch).

    what you are asking is not clear ....... you want to populate the arp cache ? and ask thru c# with arp witch has witch IP ?
    Thursday, August 16, 2007 10:47 PM
  • Did you ever find an answer to this?  I'm in the same situation.

     

    btw, I thought your question was perfectly clear.  All I could do was shake my head when I read how obtuse some to the other responses you got were.

    Friday, September 14, 2007 6:26 PM
  • The question was totally clear. I work in Network Security and prior to that was 3rd level Network Support. 

    I have an .exe that does the reverse lookup. I got it from a co-worker and I'm not sure where he got it but I will ask him.

     

    Alan - The protocol is called RARP (Revere Address Resolution Protocol).

    That must have been Volume 2 of TCP/IP Illustrated. The author of this thread can read and is not stubborn.

    He was probably getting frustrated because there were people providing incorrect and unhelpful answers.

     

    As for "there is no need for such a thing", you are incorrect. As technology changes, the need for RARP decreases.

    However, back in the day of Token Ring, if you had a device beaconing and taking down the ring, the only way you could find the offending device in a large network quickly was to do a Reverse lookup. Ethernet and GIG replaced Token Ring so RARP is no longer needed as much in that regards. DHCP has also minimized the need for RARP.

     

    It does exist and it is needed. So, before you insult someone by calling them stubborn or illiterate, you may want to make sure you know exactly what you are talking about. Then once you are certain you know what you are talking about....

     

    STILL DON'T INSULT THEM!!!

     

     

    Saturday, October 06, 2007 4:23 AM
  • Are you saying that RARP is the protocol that should be used here?  Didn't you read my earlier message either?!  RARP is of no use here.
    Sunday, October 07, 2007 10:27 AM
  • RARP can be a solution to him ...... but it would be tricky and need a lot of conditions to be reunited like to be only in a LAN ..... However it can be done that way .....

    The thing is that he will not ask like he thought ..... he needs to retrieve and process all inside his program.

    Just a precision :

    The work that one do doesn't mean anything .......... it does not proof any knowledge.

    So please stop the reply with "I work in ...." or "My job is ....." so listen to me because you're all wrong.

    I don't say that you doesn't know anything .... it's just that it does not mean anything, a job is gained thru two methods : Efforts and Friendship ..... We don't know and you can't proof us that you're on the good side.
    The idea behind this : You help or not ...... But don't feel to show off your ego in the net.

    However you're are right in one thing : NEVER INSULT, I might have insulted right now so I apologise in advance. an insult depends on the one reading it ..... not the one writting it.


    It seems that this subject is converting to a troll because the person interested doesn't intervene and the ones answering are fighting each other Wink
    Sunday, October 07, 2007 6:27 PM
  •  

    As to whether there is a need to resolve MAC to IP address, I got here looking for a RARP client for Windows, because I need to find the current IP address (preferably NetBIOS name) of a machine that caused an entry in my system log about a conflicting IP.  Obviously at the time it conflicted, I knew its IP (same as mine), but it no longer does, and all I have is the MAC address in the system log.  From user mode with the tools available I can try pinging everything on my segment and viewing the arp table for a match, but this is a lengthy, tedious and possibly unreliable process.

     

    What I need is something that gives the functionality of a reverse ARP lookup.

     

    RARP looks promising as a start - it uses the same packet format as ARP, however it uses a different ethertype value (0x8035 vs 0x0806 for ARP), and 2 new opcodes.  Perhaps this is where the confusion lies about sending ARP packets to do RARP.  The RFC for RARP states it's mainly used for a workstation to get its own IP (which seems unnecessarily restrictive), and in that respect predates bootp and DHCP. The packet format does not enforce this however and I'm certain I've seen many references to the use of RARP to obtain information about machines other than the client machine.

     

    Also, a RARP client relies on something answering it.  Whilst all TCP/IP hosts must provide an ARP responder (else they are to all intents and purposes unreachable), the same is not true for RARP responders.  I don't know for instance if Windows ships with something that by default will respond to RARP requests.  From preliminary tests (Win2000 server and XP), it doesn't look like it does.  So the thing that really renders RARP useless is lack of widespread OS support for it.

     

    There is also mentioned a protocol called Inverse ARP (RFC 2390), which is an extension (2 added opcodes) to ARP.  I tried generating and sending a few of these packets, but couldn't get a response out of several target OSes.  So it looks like InARP isn't widely deployed either.  There's yet another variant called Directed ARP, which seems to solve another more obscure use-case as well.

     

    All the RFCs (that I could find anyway) weren't really concerned with this primary issue, except for InARP, and that has some limitations as well (not very useful for multi-IP interfaces since the ARP packet format can only return one physical to protocol address mapping) even above not being widely deployed.

     

    So the problem becomes "what packet can I send to this MAC address to get any sort of response out of it that will give away its IP?". I tried ICMP echos (to broadcast IP, target MAC) - no response, NBT lookups - no response unless IP matched.  Then I tried packets with TTL=1 and dest IP of 1.2.3.4 (would require routing) to solicit Dest Unreachable responses. Bingo.

     

    So it looks in the end like your options are severely limited. You could try sending crafted packets to solicit some sort of response that would give the target host away, but my feeling is that even using TTL=1 won't work all the time.

     

    As for doing this with C#.  Unless you can find a good component that will allow you to send arbitrary packets to user-specified MAC addresses out an interface you also specify, then forget it.  Most modern OSes will lock this away from you unless you have your own kernel mode driver that you can get to send packets for you.

    Tuesday, December 11, 2007 9:57 PM
  • You're experiencing a very comon trouble in network administration. The lack of RARP and InARP as you have mentioned are due to one thing :

    Nothing gives in an "fully automaticaly" way to assign an IP to a network card ........ To do this you need a DHCP server (that works with it's own rules, depending how you configure it - so your own rules) or to fix the IP manualy directly with the OS of the computer.
    The only way to reverse back with 100% chances and no efforts is to have an international rule for that (and it does not exist).

    I think that I begin to understand the case, tell me if I'm wrong :
    1- You have two computers that have the "IP Conflict" problem.
    2- You try to do an application to understand the problem
    3- You have a well configured dhcp system that gives IP and each computer are configured to ask the DHCP their IP (and does not have a second IP configured ..... in the advanced button if you're in windows)


    Your problem might be more simple than you think, and does not need software and can't be analysed by software (only by the switch monitoring).

    You problem might be due to the MAC vendor code by the IEEE http://standards.ieee.org/regauth/oui/oui.txt
    many people think that MAC conflict is practicaly impossible due to it's 281474976710656 possible MAC ..... However by this IEEE the maximum mac per brand falls rapidly ...... and if you have a majority of one model in one brand .... this maximun addressable MAC is often only 65536 MAC (16 bits).  More computer you have with the same nic and more you can have two same MAC address.

    If it's the case, your DHCP server will give the IP to the first of the two computer to ask it until the lease timeout (if it's correctly configured and if the dhcp server is good).

    In this very case, no application can "securely" comunicate with those two computers because even the switch doesn't know what's going on and can't route correctly the data to the good computer. And there is also the fact that normaly one of those computer (and even both) disconects themselves automaticaly until the trouble is fixed.

    In order to fix it you need to change your mac address or change your nic. In every good nic and OS there is the possibility to change your mac address (or physical address).

    Good luck.
    Wednesday, December 12, 2007 1:49 AM
  • In this particular case, the range of IPs was excluded from DHCP allocation (because it's statically assigned), so it wasn't our DHCP server assigning an IP to someone else that conflicts with my machine.

     

    That's what made me suspicious, since someone else would have needed to manually assign themselves my IP address  or be running some ARP poisoning software or something to cause this conflict.  I didn't recognise the vendor from the MAC address either.  Until you close the warning dialog I think networking is disabled on that machine.  I noticed the machine was unavailable over the weekend.

     

    I presume Windows will display a warning message about a conflicting IP address in certain circumstances, perhaps (this is pure speculation).

     

    * whenever it sees an ARP request from somewhere where the requester matches its IP but not its MAC.

    * whenever it sees an ARP response from somewhere where the target/response matches its IP but not its MAC.

     

     

     

     

    Wednesday, December 12, 2007 2:04 AM
  • So, is there a solution for RARP?

    Wednesday, December 12, 2007 10:11 AM
  • For RARP : no

    the only way to retrace that is thru the switches log. If it's a good switch you can detect up to witch port is connected the computer (thru it's weird mac address). if you know that you can know witch computer and witch user (up to you to do the detective and to stay in the office when it occurs).

    good luck
    Thursday, December 13, 2007 3:58 PM
  •  

    There are two other ways, but neither is very pretty.

    1. Ping every IP within your subnet mask, and consult your local ARP table. I have a vbscript which does this and a few other things. A simplified script that only pings 1 IP and then hunts for its ARP address looks like this:

      Code Snippet
      @echo off
      endlocal
      set IPtoCheck=10.0.0.21
      ping -n 1 %IPtoCheck% >nul
      arp -a | findstr %IPtoCheck%
      endlocal


      Obviously this will only work if the MAC address you are looking for is within your broadcast domain and the IP addresses in the subnet mask that you pinged; if it is on the other side of a router (or on another VLAN), you will not see its true MAC address.

      Also, if you have a maximally paranoid network admin, he/she may have an IDS set to alert when ping sweeps occur, so you might get ready for a netadmin's visit.

    2. Passively listen to the ARP broadcasts on your network and build a table from which to do arp-to-IP lookups. I suppose one could build his/her own hokey 'RARP server service' in this way.

      As already noted, switches and routers already keep ARP tables, so instead of (or in addition to) listening, you could collect their tables into your own.

    Good luck with it!

     

    Friday, February 15, 2008 4:55 PM
  • Yes but one need could be if your trying to track MAC spoofing
    Monday, December 10, 2012 8:26 PM
  • I have had a lot of experience in the area of this posting.  I use to setup a network of computers for alpha a beta testing of Network firmware.   I occsaionally found duplicate IP addresses in our Network for the following reasons.

    1) We had a DNS server assigning IP addresses in the same subnet as fixed IP addresses.  Yo ushould never havve a subnet with a mixture of both DNS assignments and fixed IP addresses.  fixed IP addresses should always be in a seperate subnet.

    2) During power outages.  We occsaionally had the DNS server loose power and some of the PC in the network still were running.  We power was restored the DNS server reassigned an IP address to a second PC.  This usually occured when the server Powered up before one of the routers powered up.  The DNS server ARPS to make sure it doesn't assign and IP address to an existing computer, but this isn't fool proof when there are routers in the in the subnet that may be powered off.


    jdweng

    Tuesday, December 11, 2012 5:07 PM