A MAC Address is a unique identifier used to mark a specific piece of hardware. With wireless access points (APs), this is always transmitted as the base station identifier (BSSID), alongside the name of the access point (ESSID). Using your computer's network settings manager you can view an AP's BSSID and in turn discover its MAC address. I have the IP address and I and trying to find the mac address or interface that connected to the server. Could you tell me the command or the way to find the Switch port or mac address if you only have ip address. Regards Star 0 Helpful Reply. Patrick Harrold. Beginner In response to Star.
As a Network Administrator/Engineer you may be asked to find MAC addresses and/or IP Addresses, hopefully this can make your job a little bit easier. These commands work on most Cisco Switches and Routers but sometimes the commands can vary from device to device.
5 Steps total
Step 1: Connect to your Cisco Devices
Connect to the Switch/Router by using a console cable or a terminal emulator like Putty or Secure CRT. If you are successful it should look something like this.
Step 2: Find The MAC Addresses
On the layer 2 device (switch) enter the username and password if needed. Next enter 'enable' mode on the switch by typing enable. Next type the command 'show mac address-table'. If successful it should look like the picture. It's worth noting that on some Cisco devices the command 'show mac-address-table' also works.
Step 3: Find the IP Address
On the layer 3 device ( L3 switch or router) in my case I am using a router, enter the username and password if needed. Next enter 'enable' mode on the router by typing enable. Next type 'show ip arp' if done correctly you should get an output similar to the picture.
Get Ip From Mac Address Cmd
Step 4: Filtering the results on a Router
In the example I have provided there were only 9 IP addresses. However in the real world there could be dozens or even hundreds of IP addresses. To help filter the results on a router type 'show ip arp ?' You will see gigabitethernet' as an option this will let you filter results by interface or sub-interfaces. In my exmaple it typed 'sho ip arp gigabitEthernet 0/0.10' and that listed all IP's on my sub-interface.
Step 5: Filtering the results on a Layer 3 Switch
As stated in Step 4, you will likely have more than 9 IP Addresses. This can be made worse in a messy closet with a 48 port switch running the closet and maybe even some layer 2 switches under that. Luckily in addition to being able to filter by interface you can also filter by VLAN. So type in 'show ip arp ?' and you will see 'vlan' as a listed filter. As you can see I typed in 'sho ip arp vlan 20' and it listed only those IP's in vlan 20. In this case it was the vlan interface and a PC.
I hope this guide was helpful for you. If you aren't sure about something or feel like I missed a step, please let me know.
9 Comments
- AnaheimGDBJNC Apr 27, 2018 at 01:15pm
Great post.
Another way to find that information is to first PING the address of the system you are looking for. Then issue:
show arp | i .This will then show you the MAC address associated with the IP address.
Then issue:
show mac address-table | iThis will give you the port that the device is currently connected.
- CayenneJim6795 Apr 27, 2018 at 01:15pm
Thanks for posting this *after* I finished a 'What's Connected Where' jihad on our network. :^D After beating Google to death over it, hoping for some useful tool, I ended up using exactly the same process (plus the online MAC address lookup to ID the device manufacturer), so I can affirm this works perfectly, if you work it.
As you can see, the 'sh arp' or 'sh ip arp' commands also give you the MAC addresses, so essentially the 'sh mac add' is only to get the port in which the device is connected. It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp | i 0/24' will show just the MAC address(es) on that port.)
The amazing thing to me is, this far into the 21st Century, this is still the only way I could find to get this information -- i.e. to find out what's connected where. Did I mention it's a *lot* of work?
(ETA: What if you can't get to the Console port? How do you get the IP address of the switch in order to SSH or (if you must) Telnet in?)
- DatilCrimsonKidA Apr 27, 2018 at 02:04pm
Good stuff, thanks for posting this! My go-to Cisco command is: show ip interface brief (show ip int bri). Another thing I've learned that is very helpful (I'm still a noob with Cisco stuff) is tab-completion and using a '?' after the start of a command, such as 'show ?'
- CayenneEd Rubin Apr 27, 2018 at 03:09pm
Unfortunately dumping the mac table and working through it is the only way to reliably find stuff and identify its switch port. I've done a similar process with HP switches. One thing that helps a lot is an ip scanner application that does MAC vendor ID lookups for you. This can help with jim6795's problem of identifying an undocumented switch IP since you can look for the the switch maker's vendor ID and then try ssh or telnet, or http/https depending on the product.
- JalapenoTS79 Apr 27, 2018 at 06:53pm
Spiceworks has the ability to harvest this information using SNMP and will create a map showing which device is on which switchport. It must have the correct MIB installed for your switch and you must configure SNMP. The feature could use some more work but basic components are there.
- JalapenoSadTech0 Apr 27, 2018 at 08:06pm
Thanks for posting this *after* I finished a 'What's Connected Where' jihad on our network. :^D After beating Google to death over it, hoping for some useful tool, I ended up using exactly the same process (plus the online MAC address lookup to ID the device manufacturer), so I can affirm this works perfectly, if you work it.
As you can see, the 'sh arp' or 'sh ip arp' commands also give you the MAC addresses, so essentially the 'sh mac add' is only to get the port in which the device is connected. It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp | i 0/24' will show just the MAC address(es) on that port.)
The amazing thing to me is, this far into the 21st Century, this is still the only way I could find to get this information -- i.e. to find out what's connected where. Did I mention it's a *lot* of work?
(ETA: What if you can't get to the Console port? How do you get the IP address of the switch in order to SSH or (if you must) Telnet in?)
Couldn't you just use CDP? #show cdp nei detail will show you the ip of the connected devices.
- Thai PepperTaylorC Apr 27, 2018 at 08:45pm
Hey everyone thanks for the great feed back, it's really cool having this featured. @SadTech0 if you cant to the console port and you don't know the IP Address you could use a tool like angry IP scanner and find the switch that way. CDP may or may not work depending on your network configuration and/or topology. Barring some major obstruction you should try to console in get the ip and start an inventory. Hope that helps.
- Thai PepperTodd_in_Nashville Apr 30, 2018 at 12:34pm
Keep in mind, in some security minded environments, CDP may be disable if it's not needed. It's one of those things that give out unnecessary reconnaissance info to the bad guys. If one of your edge routers gets compromised, it can be used to start footprinting your internal network.
- Thai PepperJohn3367 Apr 30, 2018 at 08:51pm
Great info..
Another helpful thing you should add!
SHOW INVENTORY ---> To show the SERIAL number of the Cisco device you are on.
**I always use those commands you show to troublshoot. They are very helpful. I usually PING an IP address. then I type a 'show arp' and get its MAC address.. then I will type 'show mac-address table' which will show me which PORT the device is connected to!
How would you communicate with a device when you don’t have the IP?
You might be in a situation where you don’t have the IP address of a device in a local network, but all you have is records of the MAC or hardware address.
Or your computer is unable to display its IP due to various reasons, and you are getting a “No Valid IP Address” error.
Finding the IP from a known MAC address should be the task of a ReverseARP application, the counterpart of ARP.
But RARP is an obsolete protocol with many disadvantages, so it was quickly replaced by other protocols like BOOTP and DHCP, which deal directly with IP addresses.
In this article, we’ll show you how to find IPs and device vendors using MAC addresses with different methods for free.
Understanding ARP
ARP (Address Resolution Protocol) is the protocol in charge of finding MAC addresses with IPs in local network segments.
It operates with frames on the data link layer.
As you might already know, devices in the data link layer depend on MAC addresses for their communication.
Their frames encapsulate packets that contain IP address information.
A device must know the destination MAC address to communicate locally through media types like Ethernet or Wifi, in layer 2 of the OSI model.
Understanding how ARP works can help you find IPs and MAC addresses quickly.
The following message flow diagram can help you understand the concept:
- The local computer sends a ping (ICMP echo request) to a destination IP address (remote computer) within the same segment. Unfortunately, the local computer does not know the MAC address… it only knows the IP address.
- The destination hardware address is unknown, so the ICMP echo request is put on hold. The local computer only knows its source/destination IP and its source MAC addresses. ARP uses two types of messages, ARP Request and Reply.
The local computer sends an ARP REQUEST message to find the owner of the IP address in question.
This message is sent to all devices within the same segment or LAN through a broadcast MAC (FF:FF:FF:FF:FF:FF) as the destination.
- Because the remote computer is part of the same network segment, it receives the broadcast message sent by the local computer. All other computers in the LAN also receive the broadcast but they know that the destination IP is not theirs, so they discard the packet. Only the remote computer with destination IP, responds to the ARP REQUEST with an ARP REPLY, which contains the target MAC address.
- The local computer receives the ARP REPLY with the MAC address. It then resumes the ICMP echo request, and finally, the remote computer responds with an ICMP echo reply.
Finding IPs with ARP
You can use ARP to obtain an IP from a known MAC address.
But first, it is important to update your local ARP table in order to get information from all devices in the network.
Send a ping (ICMP echo reply) to the entire LAN, to get all the MAC entries on the table.
To ping the entire LAN, you can send a broadcast to your network.
Open the Command Prompt in Windows or terminal in macOS and type.
ping 192.168.0.255
My subnet is 192.168.0.0/24 (mask of 255.255.255.0), so the broadcast address is 192.168.0.255 which can be calculated or found with a “Print Route” command in Windows or a “netstat -nr” in macOS. Or can also be obtained with a subnet calculator.
For Windows:
Step 1.
- Open the CMD (Command Prompt)
- Go to the “Start” menu and select “Run” or press (Windows key + R) to open the Run application
- In the “Open” textbox type “cmd” and press “Ok”.
This will open the command-line interface in Windows.
Step 2.
- Enter the “arp” command.
- The arp command without any additional arguments will give you a list of options that you can use.
Step 3.
- Use the arp with additional arguments to find the IP within the same network segment.
- With the command “arp -a” you can see the ARP table and its entries recently populated by your computer with the broadcast ping.
Step 4.
- Reading the output.
- The information displayed in the arp-a is basically the ARP table on your computer.
- It shows a list with IP addresses, their corresponding physical address (or MAC), and the type of allocation (dynamic or static).
Let’s say you have the MAC address 60-30-d4-76-b8-c8 (which is a macOS device) and you want to know the IP.
From the results shown above, you can map the MAC address to the IP address in the same line.
The IP Address is 192.168.0.102 (which is in the same network segment) belongs to 60-30-d4-76-b8-c8.
You can forget about those 224.0.0.x and 239.0.0.x addresses, as they are multicast IPs.
For macOS:
Step 1:
- Open the Terminal App. go to Applications > Utilities > Terminal or Launchpad > Other > Terminal.
Step 2:
- Enter the “arp” command with an “-a” flag.
- Once you enter the command “arp -a” you’ll receive a list with all ARP entries to the ARP Table in your computer.
- The output will show a line with the IP address followed by the MAC address, the interface, and the allocation type (dynamic/static).
Finding IPs with the DHCP Server
The Dynamic Host Configuration Protocol (DHCP) is the network protocol used by TCP/IP to dynamically allocate IP addresses and other characteristics to devices in a network.
The DHCP works with a client/server mode.
The DHCP server is the device in charge of assigning IP addresses in a network, and the client is usually your computer.
For home networks or LANs, the DHCP Server is typically a router or gateway.
If you have access to the DHCP Server, you can view all relationships with IPs, MACs, interfaces, name of the device, and lease time in your LAN.
Step 1.
- Log into the DHCP Server. In this example, the DHCP server is the home gateway.
- If you don’t know the IP address of your DHCP Server/ Gateway, you can run an ipconfig (in Windows) or ifconfig (in macOS/Linux).
- This particular DHCP Server/Gateway has a web interface.
Step 2.
- Enter the IP address on the search bar of the web browser, and input the right credentials.
Step 3.
- Find the DHCP Clients List.
- In this TP-Link router, the DHCP Server functionality comes as an additional feature.
- Go to DHCP > DHCP Clients List. From this list, you can see the mapping between MAC addresses and their assigned IPs.
Using Sniffers
If you couldn’t find the IP in the ARP list or unfortunately don’t have access to the DHCP Server, as a last resort, you can use a sniffer.
Packet sniffers or network analyzers like Nmap (or Zenmap which is the GUI version) are designed for network security.
They can help identify attacks and vulnerabilities in the network.
With Nmap, you can actively scan your entire network and find IPs, ports, protocols, MACs, etc.
If you are trying to find the IP from a known MAC with a sniffer like Nmap, look for the MAC address within the scan results.
How to find the Device and IP with a Sniffer?
Step 1.
- Keep records of your network IP address information.
- In this case, my network IP is 192.168.0.0/24. If you don’t know it, a quick “ipconfig” in Windows cmd or an “ifconfig” in macOS or Linux terminal can show you the local IP and mask.
- If you can’t subnet, go online to a subnet calculator and find your network IP.
Step 2.
- Download and open Nmap.
- Download Nmap from this official link https://nmap.org/download.html and follow its straightforward installation process.
Step 3.
- Open Nmap (or Zenmap) and use the command “sudo nmap -sn (network IP)” to scan the entire network (without port scan).
- The command will list machines that respond to the Ping and will include their MAC address along with the vendor.
- Don’t forget the “sudo” command.
- Without it, you will not see MAC addresses.
Finding out the device vendor from a MAC address
Ok, so now you were able to find out the IP address using “arp -a” command or through the DHCP Server.
But what if you want to know more details about that particular device?
What vendor is it?
Your network segment or LAN might be full of different devices, from computers, firewalls, routers, mobiles, printers, TVs, etc.
And MAC addresses contain key information for knowing more details about each network device.
Ping For Mac Address Command
First, it is essential to understand the format of the MAC address.
Traditional MAC addresses are 48 bits represented in 12-digit hexadecimal numbers (or six octets).
The first half of the six octets represent the Organizational Unique Identifier (OUI) and the other half is the Network Interface Controller (NIC) which is unique for every device in the world.
There is not much we can do about the NIC, other than communicating with it.
But the OUI can give us useful information about the vendor if you didn’t use Nmap, which can also give you the hardware vendor.
A free online OUI lookup tool like Wireshark OUI Lookup can help you with this.
Ping Mac Address Cmd
Just enter the MAC address on the OUI search, and the tool will look at the first three octets and correlate with its manufacturing database.
Final Words
Although the RARP (the counterpart of ARP) was specifically designed to find IPs from MAC addresses, it was quickly discontinued because it had many drawbacks.
RARP was quickly replaced by DHCP and BOOTP.
But ARP is still one of the core functions of the IP layer in the TCP/IP protocol stack.
It finds MAC addresses from known IPs, which is most common in today’s communications.
ARP works under the hood to keep a frequently used list of MACs and IPs.
But you can also use it to see the current mappings with the command arp -a.
Aside from ARP, you can also use DHCP to view IP information. DHCP Servers are usually in charge of IP assignments.
If you have access to the DHCP server, go into the DHCP Client list and identify the IP with the MAC address.
Finally, you can use a network sniffer like Nmap, scan your entire network, and find IPs, and MACs.
If you only want to know the vendor, an online OUI lookup like Wireshark can help you find it quickly.