Sign-in / Sign-up
Your question

Mac address recovery

Tags:
  • Mac Address
  • Devices
  • Networking
Last response: in Networking
Anonymous
December 17, 2004 9:07:39 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Guys I hope someone can help with this Query.

I have a need to interrogate 24,000 networked devices in an organisation.
The only piece of info I require from the device is its Mac address.
Now I know a Fluke Device which is rather expensive is able to do this, but
I would like to know if there is any other way.

1. Not all devices have an IP address they are on DHCP, so a ping command
will not work. Once cable is removed no IP is assigned thus no Mac address.
2. Its needs to be an inexpensive way to get the Mac address either using a
laptop with crossover or a PDA type device with the right adaptor
3.The recovery of the Mac address will be done by semi-skilled staff (uni
students with little or no technical skill), so it needs to be easy

Can anyone suggest a device or solution.
Thanks in advance

SnaZZZ

More about : mac address recovery

Anonymous
December 17, 2004 10:27:18 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
> Guys I hope someone can help with this Query.

> I have a need to interrogate 24,000 networked devices in an organisation.
> The only piece of info I require from the device is its Mac address.
> Now I know a Fluke Device which is rather expensive is able to do this, but
> I would like to know if there is any other way.

> 1. Not all devices have an IP address they are on DHCP, so a ping command
> will not work. Once cable is removed no IP is assigned thus no Mac address.
> 2. Its needs to be an inexpensive way to get the Mac address either using a
> laptop with crossover or a PDA type device with the right adaptor
> 3.The recovery of the Mac address will be done by semi-skilled staff (uni
> students with little or no technical skill), so it needs to be easy

> Can anyone suggest a device or solution.
> Thanks in advance

> SnaZZZ

snmp to your networking grear, ask for the mac-addr-table, correlate
with port used.

Why on earth do you need mac-address table for ? It won't be stable
for many minutes ...



--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
Anonymous
December 17, 2004 11:08:10 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <LIuwd.75773$K7.41679@news-server.bigpond.net.au>,
SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
:I have a need to interrogate 24,000 networked devices in an organisation.
:The only piece of info I require from the device is its Mac address.
:Now I know a Fluke Device which is rather expensive is able to do this, but
:I would like to know if there is any other way.

It's pretty much impossible to do reliably.


:1. Not all devices have an IP address they are on DHCP, so a ping command
:will not work. Once cable is removed no IP is assigned thus no Mac address.

ARP tables time out after 3 minutes usually, so missing device
while it is talking is a very real possibility if you try to
proceed by way of SNMP probes of the routers and switches.

:2. Its needs to be an inexpensive way to get the Mac address either using a
:laptop with crossover or a PDA type device with the right adaptor
:3.The recovery of the Mac address will be done by semi-skilled staff (uni
:students with little or no technical skill), so it needs to be easy

Ummm, I just realized that your wording leaves open the possibility
that you are planning to have staff go around to each of the
devices and use the gizmo to probe the MAC address. Is that
correct? Or are you trying to do this in an automated way from
a management program?

If the idea is to go around to each device, then you have to be
aware that there is no way to provoke a device that is certain
to make it respond. Devices can do whatever they want when
they receive packets, including ignoring the packets.

The Fluke LanMeter and later decendants do not reliably discover
MAC addresses: they more or less just wait for the host to say
something.

Any given PC or Unix machine might be firewalled to not respond
to probes. Some systems will, though, ARP for their own IP
address as they come up (or as the interface is brought up),
so as to detect whether another machine is already using
that IP address. You can thus usually get a machine to say
-something- by rebooting it.
--
Inevitably, someone will flame me about this .signature.
Related resources
Anonymous
December 17, 2004 11:47:35 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

That is correct I will be getting people to walk the floors and visit the
device individually.
Most of the devices in question are Multifunction devices , ie photocopier
that is a fax and printer as well
Need a Mac address so that a third party billing audit application database
can be populated.
Snmp will them be used once the connection has been made. Bi-directional
information things like meter readings and consumable status etc.

SnaZZZ

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:cpu45a$855$1@canopus.cc.umanitoba.ca...
> In article <LIuwd.75773$K7.41679@news-server.bigpond.net.au>,
> SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
> :I have a need to interrogate 24,000 networked devices in an organisation.
> :The only piece of info I require from the device is its Mac address.
> :Now I know a Fluke Device which is rather expensive is able to do this,
but
> :I would like to know if there is any other way.
>
> It's pretty much impossible to do reliably.
>
>
> :1. Not all devices have an IP address they are on DHCP, so a ping command
> :will not work. Once cable is removed no IP is assigned thus no Mac
address.
>
> ARP tables time out after 3 minutes usually, so missing device
> while it is talking is a very real possibility if you try to
> proceed by way of SNMP probes of the routers and switches.
>
> :2. Its needs to be an inexpensive way to get the Mac address either using
a
> :laptop with crossover or a PDA type device with the right adaptor
> :3.The recovery of the Mac address will be done by semi-skilled staff (uni
> :students with little or no technical skill), so it needs to be easy
>
> Ummm, I just realized that your wording leaves open the possibility
> that you are planning to have staff go around to each of the
> devices and use the gizmo to probe the MAC address. Is that
> correct? Or are you trying to do this in an automated way from
> a management program?
>
> If the idea is to go around to each device, then you have to be
> aware that there is no way to provoke a device that is certain
> to make it respond. Devices can do whatever they want when
> they receive packets, including ignoring the packets.
>
> The Fluke LanMeter and later decendants do not reliably discover
> MAC addresses: they more or less just wait for the host to say
> something.
>
> Any given PC or Unix machine might be firewalled to not respond
> to probes. Some systems will, though, ARP for their own IP
> address as they come up (or as the interface is brought up),
> so as to detect whether another machine is already using
> that IP address. You can thus usually get a machine to say
> -something- by rebooting it.
> --
> Inevitably, someone will flame me about this .signature.
Anonymous
December 17, 2004 11:54:45 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

On Fri, 17 Dec 2004 08:47:35 +0000, SnaZZZ wrote:

> That is correct I will be getting people to walk the floors and visit the
> device individually.
> Most of the devices in question are Multifunction devices , ie photocopier
> that is a fax and printer as well
> Need a Mac address so that a third party billing audit application database
> can be populated.

If your audit database uses MAC addresses, does your billing application
also use them? I assume so, since it sounds like you are using MAC
addresses to correlate the billing and the billing audit. That doesn't
sound like a good idea, since MAC addresses can be changed so easily.

> Snmp will them be used once the connection has been made. Bi-directional
> information things like meter readings and consumable status etc.

This is confusing, because SNMP doesn't need to know anything about MAC
addresses to collect data. You do need to make sure everything has an IP
address.
Anonymous
December 17, 2004 12:22:58 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

"SnaZZZ" <snazytecSPAMTRAP@hotmail.com> wrote:
>That is correct I will be getting people to walk the floors and visit the
>device individually.
>Most of the devices in question are Multifunction devices , ie photocopier
>that is a fax and printer as well
>Need a Mac address so that a third party billing audit application database
>can be populated.
>Snmp will them be used once the connection has been made. Bi-directional
>information things like meter readings and consumable status etc.

I'm not sure that's going to work like you think, but most MF devices
will give you their MAC address on their test page printout.

If the "third party billing audit application database" knows about
MAC addresses, why can't it be the one to find them?
Anonymous
December 17, 2004 12:58:30 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

On Fri, 17 Dec 2004 17:33:32 +0000, Walter Roberson wrote:

> In article <pan.2004.12.17.16.54.44.229409@pobox.com>,
> Erik Freitag <erik.freitag@pobox.com> wrote:
> :This is confusing, because SNMP doesn't need to know anything about MAC
> :addresses to collect data. You do need to make sure everything has an IP
> :address.
>
> I think what he was trying to say was that when the people who go
> around to all the devices unplug the network cable and plug it
> into their gizmo, that any DHCP assigned address will vanish,
> so one cannot count on being able to ping the device.

So why unplug it? It already has an address, ping it and look at the ARP
table, or pull the right SNMP MIB.

> [... some clever way to get the MAC address ...]
Anonymous
December 17, 2004 9:20:17 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <pan.2004.12.17.17.58.30.136642@pobox.com>,
Erik Freitag <erik.freitag@pobox.com> wrote:
|On Fri, 17 Dec 2004 17:33:32 +0000, Walter Roberson wrote:

|> I think what he was trying to say was that when the people who go
|> around to all the devices unplug the network cable and plug it
|> into their gizmo, that any DHCP assigned address will vanish,
|> so one cannot count on being able to ping the device.

|So why unplug it? It already has an address, ping it and look at the ARP
|table, or pull the right SNMP MIB.

The assumption is that it has a DHCP address. The person on the floor
isn't going to know what the current IP is. I would presume that
the person on the floor also doesn't have good tools for knowing
which datajack leads to which switchport.

I figure that the reason to run this all by having people wander around
probing, instead of centrally, is that there is a need to correlate
MACs with either physical locations or with asset numbers that are on
the devices, and that the location to closet/unit/port tables do not
exist or are out of date.


I've tried the central management route for a fraction of the number
of devices that the OP is looking at, and it isn't at all reliable.
I have a script that pings all my known subnet broadcast addresses
and then crawls the SNMP tables on all my known switches and
routers looking through the ip-to-media tables and the switch tables
to locate particular MAC addresses. More often than not it doesn't
find what I'm looking for: the 3 minute ARP timeout is a kicker.

What I should probably do is SPAN (mirror) the traffic through to
central monitoring stations. Unfortunately on at least some
switches or routers, when you SPAN traffic, the source MAC address
gets replaced by the MAC of the port being used to pass on
the SPAN'd traffic. And of course SPAN'ing isn't the best of
things if you have busy links.
--
"I want to make sure [a user] can't get through ... an online
experience without hitting a Microsoft ad"
-- Steve Ballmer [Microsoft Chief Executive]
Anonymous
December 17, 2004 9:20:18 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

On Fri, 17 Dec 2004 18:20:17 +0000, Walter Roberson wrote:

> I figure that the reason to run this all by having people wander around
> probing, instead of centrally, is that there is a need to correlate
> MACs with either physical locations or with asset numbers that are on
> the devices, and that the location to closet/unit/port tables do not
> exist or are out of date.

Wow. With 24000 devices, even if it only takes a minute to visit and check
each one we're looking at 50 person days of effort, assuming an 8 hour
workday. The real time is probably closer to 10 minutes, unless all the
printers are very close together. I hope they'll be able to take the
opportunity to slap on an asset tag check and correct the inventory
records and labelling while they're there. Just the thought of having a
crew of "semi-skilled" people walking around a network this size and
unplugging cables gives me the willies - I wonder if they'll forget to
plug it back in, or plug it back into the wrong VLAN, or mung the cable.

> I've tried the central management route for a fraction of the number of
> devices that the OP is looking at, and it isn't at all reliable. I have
> a script that pings all my known subnet broadcast addresses and then
> crawls the SNMP tables on all my known switches and routers looking
> through the ip-to-media tables and the switch tables to locate
> particular MAC addresses. More often than not it doesn't find what I'm
> looking for: the 3 minute ARP timeout is a kicker.

When you get into the 10s of thousands, I don't think there is a 100%
reliable way - by the time you're finished, the network and the inventory
have changed in non-trivial ways. Some other tools to consider would be
the DHCP database (which could be pattern-matched for printer-like NICs)
and maybe running arpwatch so disappearing arp tables aren't such a big
deal. I don't think this is a 1-solution problem. There are probably areas
where you could identify systems pretty reliably via IP and their DNS
entries, and some where you cannot.

> What I should probably do is SPAN (mirror) the traffic through to
> central monitoring stations. Unfortunately on at least some switches or
> routers, when you SPAN traffic, the source MAC address gets replaced by
> the MAC of the port being used to pass on the SPAN'd traffic. And of
> course SPAN'ing isn't the best of things if you have busy links.

If you're just trying to collect MAC addresses and don't care so much
about which cubicle or office they are in, arpwatch might help.
December 17, 2004 10:50:41 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

"SnaZZZ" <snazytecSPAMTRAP@hotmail.com> wrote in message
news:H2xwd.75940$K7.14681@news-server.bigpond.net.au...
> That is correct I will be getting people to walk the floors and visit the
> device individually.
> Most of the devices in question are Multifunction devices , ie photocopier
> that is a fax and printer as well
> Need a Mac address so that a third party billing audit application
database
> can be populated.
> Snmp will them be used once the connection has been made. Bi-directional
> information things like meter readings and consumable status etc.
>
> SnaZZZ
>
> "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
> news:cpu45a$855$1@canopus.cc.umanitoba.ca...
> > In article <LIuwd.75773$K7.41679@news-server.bigpond.net.au>,
> > SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
> > :I have a need to interrogate 24,000 networked devices in an
organisation.
> > :The only piece of info I require from the device is its Mac address.

You are making a big assumption if you think a device will only have 1 MAC.

for an extreme case, a big Cisco switch or router may be allocated 1024 -
and although they may correlate to the port you may get different answers if
you ask in different ways.

In general, anything with more than 1 ethernet port may have more than 1
"native" mac address.

more seriously, MAC address get mutated in some circumstances - a cisco
router using VRRP or HSRP to give a resilient default gateway has a native
MAC and 1 or more assigned MACs. Last time i checked the hardware ran out of
table space at 16 or 256 MACs on an individual port......

Running DECnet or OSI on a device will make it change its operational MAC
address to suit the protocol.

even a printer with say an appletalk or wireless lan and ethernet ports may
have 2 mac addresses

> > :Now I know a Fluke Device which is rather expensive is able to do this,
> but
> > :I would like to know if there is any other way.
> >
> > It's pretty much impossible to do reliably.
> >
> >
> > :1. Not all devices have an IP address they are on DHCP, so a ping
command
> > :will not work. Once cable is removed no IP is assigned thus no Mac
> address.

ping will still work even if you have a fixed IP on the device.

But - if you ping across a device across something like a firewall or a
router running proxy ARP, then the intervening device will answer with its
own MAC address
> >
> > ARP tables time out after 3 minutes usually, so missing device
> > while it is talking is a very real possibility if you try to
> > proceed by way of SNMP probes of the routers and switches.
> >
> > :2. Its needs to be an inexpensive way to get the Mac address either
using
> a
> > :laptop with crossover or a PDA type device with the right adaptor
> > :3.The recovery of the Mac address will be done by semi-skilled staff
(uni
> > :students with little or no technical skill), so it needs to be easy

So - what do you use the database for once you have it - are you going to
repeat the scan periodically?

After all, if you dont verify, some clever student with a random number
generator and a bit of programming is going to save himeself a lot of
effort....

And what happens when you upgrade a server from 10/100 to 1000, or the LAN
card fails and gets swapped out?
> >
> > Ummm, I just realized that your wording leaves open the possibility
> > that you are planning to have staff go around to each of the
> > devices and use the gizmo to probe the MAC address. Is that
> > correct? Or are you trying to do this in an automated way from
> > a management program?
> >
> > If the idea is to go around to each device, then you have to be
> > aware that there is no way to provoke a device that is certain
> > to make it respond. Devices can do whatever they want when
> > they receive packets, including ignoring the packets.
> >
> > The Fluke LanMeter and later decendants do not reliably discover
> > MAC addresses: they more or less just wait for the host to say
> > something.
> >
> > Any given PC or Unix machine might be firewalled to not respond
> > to probes. Some systems will, though, ARP for their own IP
> > address as they come up (or as the interface is brought up),
> > so as to detect whether another machine is already using
> > that IP address. You can thus usually get a machine to say
> > -something- by rebooting it.

Some devices never generate a response to ARP (or any other packet)- a
sniffer or IDS probe springs to mind. But, since the standard says they must
have a MAC, it is there, it just wont tell you what it is.
> > --
> > Inevitably, someone will flame me about this .signature.
--
Regards

Stephen Hope - return address needs fewer xxs
Anonymous
December 17, 2004 11:57:11 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
> That is correct I will be getting people to walk the floors and visit the
> device individually.
> Most of the devices in question are Multifunction devices , ie photocopier
> that is a fax and printer as well
> Need a Mac address so that a third party billing audit application database
> can be populated.
> Snmp will them be used once the connection has been made. Bi-directional
> information things like meter readings and consumable status etc.


Seems like a very expensive way of billing ( and easy to cirumvent too)
I guess it's "managements descition" ??


--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.