[GLLUG] Scanning MAC address for IP

[N N Ashok]

On Wednesday 26 February 2003 08:51, Melson, Paul wrote:
> A cheesy way to do this is to run `nmap -sP [network]/[mask]` and then
> run `arp -a | grep -i [MAC address]` to see if you hit on anything.
> Perhaps a better, but slower, way is to use tcpdump or snoop and filter
> captured packets for the MAC address you're curious about.  Keep in mind
> that if you're connected to a routed network, the MAC address you are
> seeing may be that of a router interface connected to your LAN, so the
> MAC address may not the best way to track traffic back to a host.
>
> PaulM
>
> -----Original Message-----
> From: Mike Szumlinski [mailto:szumlins@mac.com]
> Sent: Monday, February 24, 2003 6:47 PM
> To: linux-user@egr.msu.edu
> Subject: [GLLUG] Scanning MAC address for IP
>
>
> Does anyone know how to scan a known MAC address to see what IP it has?
>   Is there a nifty *nix tool that does this and I don't know how to?
>
> -Mike
>

Instead of running ping or nmap or other tools to send out traffic, using 
arpwatch could be an idea. It will record the arp packets being sent out on 
the network and log them in /var/log/messages as well as mail it to the root.
Here is an example from my messages file:
Feb 26 12:42:17 elans-pc arpwatch: new station 192.168.1.1 0:60:97:d8:ab:c8
Feb 26 12:42:17 elans-pc arpwatch: new station 192.168.1.98 0:1:3:2e:2e:ee

So grepping the /var/log/messages for the ethernet address should give you the 
results. Hope that helps.

Ashok