I'm looking for a way to ping a range of IP addresses and get a list of active IPs and their ethernet card (MAC) addresses. The point would be to be able to cross-reference machines (Macs, PCs, and printers on TCP/IP) with other databases we have from NetOctopus. NetOctopus will show the ethernet card address of machines already running the NetO client, but I'd like to be able to see all the IP devices in a range and be able to remotely determine if a printer is up and, more importantly, if someone is stealing some elses IP.

Most of our machines are on static IP, but the occasional obnoxious DHCP machine (be they Macs, printers, or PCs) takes someone's IP when they're shutdown and the error message one gets when some has stolen you IP only shows the "physical address" (ethernet address) of the other machine.

Any ideas? I have a feeling there's a way to do this in terminal, but I have no sense what to do.

thanks

You could use 'arp -a'

stetner % arp -a
router (192.168.0.1) at 0:30:ab:7:13:53
? (192.168.0.255) at ff:ff:ff:ff:ff:ff permanent
stetner % ping -c 1 192.168.0.12
PING 192.168.0.12 (192.168.0.12): 56 data bytes
64 bytes from 192.168.0.12: icmp_seq=0 ttl=128 time=1.299 ms

--- 192.168.0.12 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.299/1.299/1.299 ms
stetner % ping -c 1 192.168.0.122
PING 192.168.0.122 (192.168.0.122): 56 data bytes

--- 192.168.0.122 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
stetner % arp -a
router (192.168.0.1) at 0:30:ab:7:13:53
? (192.168.0.12) at 0:4:e2:d:fb:d5
? (192.168.0.122) at (incomplete)
? (192.168.0.255) at ff:ff:ff:ff:ff:ff permanent

Now arp will eventually drop stuff from it's cache (time based I think) so you might have to play with small ranges of IPs. Anyway, you can see that the MAC address for non-existant stuff is 'incomplete' and for stuff that exists, the MAC Address of the device to send the packet to is there. Remember, the MAC address may be a router if the IP is off of your subnet. The ? in the first column is there if it cannot determine the hostname (router is the only known hostname above...)

Doug

Originally posted by pubtech

Most of our machines are on static IP, but the occasional obnoxious DHCP machine (be they Macs, printers, or PCs) takes someone's IP when they're shutdown and the error message one gets when some has stolen you IP only shows the "physical address" (ethernet address) of the other machine.


This sounds like a problem with your DHCP server. The static addresses should not be given out by the DHCP server. There should be a DHCP range that is given out by the server, and it should not include IP's that are set aside for statics.

Thanks for you help so far. Yes, the DHCP server _shouldn't_ give out static IPS, but it does here (Mac support and Network support are two different depts here, and there is faint support for mac network problems). Some of the IP grabbing seems to be done by printers, some by windows machines.

Tried the arp -p technique, but all I get is our router. can't hit other machines at static addresses I know. Is there a way to ping a range and get type of machine and MAC address using arp? I'm a real command-line newbie, so be specific and talk slow.

thanks again for your help, Stener & tncook.

What about your router?

The LinkSys router I'm using on our LAN has the ability to produce several interesting reports about the devices it has connected. Just look up the IP address of the router and use a web browser to see what it may provide.

For example, my LinkSys provides a table that looks like this on-line:

http://w3.one.net/~swessels/images/screens/router.gif

Originally posted by pubtech

Tried the arp -p technique, but all I get is our router. can't hit other machines at static addresses I know. Is there a way to ping a range and get type of machine and MAC address using arp? I'm a real command-line newbie, so be specific and talk slow.


OK, one possibility is that your machine is getting set up to forward all packets to the router which then forwards them to the other hosts. This would explain the router only being in the arp cache.

Could you do:

ifconfig en0

and a

netstat -r

That will show us how your machine is set up.

You can ping a 'network'. If you ping the network address (ie if you are 192.168.1.1 with a netmask of 255.255.255.0 you should be able to ping 192.168.1.0 and get replies from all nodes on that network. The problem is that I just tried it on my mac on my little home network and it did not work (scratches head, Hmmm openBSD or a switch/router thing...)

Anyway, pop that info in here and it might help...

Cheers
Doug

OK the ifconfig en0 returns:
en0: flags=8863<UP,BROADCAST,b6,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 167.173.16.119 netmask Oxfffffc0 broadcast 167.173.16.127
(followed by my MAC and a list of different ethernet connection speeds supported)

netstat -r gives me Routing Tables:

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 167.173.16.65 UGSc 1 0 en0
localhost localhost UH 7 332 lo0
167.173.16.64/26 link#2 UC 0 0 en0
167.173.16.65 0:05:54:43:70:40 UHLW 2 0 en 1193
167.173.16.119 localhost UHS 0 0 lo0

119 is my machine, 16.65 is the router. I don't know what 64/26 is. Tried accessing the router with a browser, but no go.

Originally posted by pubtech
I'm looking for a way to ping a range of IP addresses and get a list of active IPs and their ethernet card (MAC) addresses. The point would be to be able to cross-reference machines (Macs, PCs, and printers on TCP/IP) with other databases we have from NetOctopus. NetOctopus will show the ethernet card address of machines already running the NetO client, but I'd like to be able to see all the IP devices in a range and be able to remotely determine if a printer is up and, more importantly, if someone is stealing some elses IP.
thanks

Hello:

You do an ifconfig -a and that will show you the broadcast address for your network. If you ping that address you should get a response from every device on the network. However, most routers will block a "directed-broadcast" to the network and broadcast address, so that may not work for you.

From your later message:

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 167.173.16.65 UGSc 1 0 en0
localhost localhost UH 7 332 lo0
167.173.16.64/26 link#2 UC 0 0 en0
167.173.16.65 0:05:54:43:70:40 UHLW 2 0 en 1193
167.173.16.119 localhost UHS 0 0 lo0

119 is my machine, 16.65 is the router. I don't know what 64/26 is. Tried accessing the router with a browser, but no go.

This means you have a subnet of 167.173.16.64/26 with means 255.255.255.192. So, 64 is the network address and 127 is the broadcast address.

If directed-broadcast is disabled you could manually ping all of the addresses in that range, or use NMAP to do it for you.

Mike

You could use 'arp -a'

stetner % arp -a
router (192.168.0.1) at 0:30:ab:7:13:53
? (192.168.0.255) at ff:ff:ff:ff:ff:ff permanent
<snip>

Doug

This will only work for addresses your computer has recently communicated with. Here is what is needed: A utility that will ping a range of IP addresses (NOT THE ENTIRE CLASS B SUBNET OF 16,000+ ADDRESSES MIND YOU) in a continual ping, like the old MacPing utility used to do.

Why you ask? Consider needing to map a network infrastructure with nothing but non-managed switches. How do you find who is connected to which ports? If you had a utility pinging the entire range, you could go to the ethernet switches and start pulling wires temporarily and seeing which IP stopped responding.

So the question I would like to pose is, does anyone know of such a utility??

Old thread resurrected, but don't modern switches log this stuff? IP, MAC, and Port? Layer 3 switches do all that I believe.

Old thread resurrected, but don't modern switches log this stuff? IP, MAC, and Port? Layer 3 switches do all that I believe.

Only managed switches. It doesn't matter if they're layer 2 or 3. But most, if not all, layer 3 switches are managed.

In the Old Days I used MacPing to see what was where but that's Classic only.
Nowadays I use IP Scanner. http://10base-t.com/macintosh-software/ip-scanner
It scans only the private address ranges. The free version will return up to 5 devices - usually enough for a home network.