ARP command

[Fred Claus]

I was looking for something to do tonight and I started researching Powershell and command line. Just learned about the arp command, and that got me thinking. arp -a will give you a list of all the devices on your network, and it will show the IP address, Mac address and status. Is there a way to get it to also show you the device name or manufacturer? I'd like to know that 192.168.1.32 is my Linux laptop, and 192.168.1.6 is my son's Xbox. Trouble is I don't know how to read that from an mac address.

 

[Sky-Knight]

Correction, arp -a will give you all the devices listed in the arp cache on the machine in question. That's not all devices on the network, it's just the list of IP and MAC address pairs that specific unit has communicated with recently.

If you do this on the border gateway, you'll get a fairly solid list of MAC addresses. MAC addresses are 48 bits long, the first half, 24 bits are the vendor ID. You'd need to take that portion and feed it to a website, or an API of some sort to get it to resolve to the manufacturer. These addresses can be spoofed, so they aren't perfect. Also, this data is the manufacturer of the NIC, not the machine the NIC lives in. You'd know you're using a realtek interface in the Linux box, not that it runs Linux. The Xbox I think comes back as Microsoft, but it could just as easily come back with whomever made the NIC chip set.

Identifying the OS, make, and model from the network requires other means.

 

[HCHTech]

We use it as a discovery/detective tool mostly. As @Sky-Knight said, once you have the MAC address, you can find the vendor which is sometimes helpful answering a "what is this thing" question (e.g. "Oh, Hikvision, that's a security camera DVR"). MACVendors.com is one place we've used for those lookups. We're a Sonicwall shop, and since they use the MAC address as the serial number, arp is a quick way to retrieve that information without logging into the device. SWs (and I expect other firewall/gateway devices) have more than one MAC, too, which is confusing the first time you bump into it.

 

[Markverhyden]

These addresses can be spoofed, so they aren't perfect.

And are for legit reasons. Got a customer who puts coupon machine in grocery stores with a Internet connection. Because everything is so tight, and to save time, the same MAC's's get used over and over gain. Back when they didn't do this, like 15 years ago, I could easily fritter away 2-3 hours waiting on India, Pakistan or where ever the HD was.

 

[Fred Claus]

Well that's just not going to work. I thought I could get away with using Arp on my home network to monitor who was accessing my network. I was hoping to use it eventually in my security stack but Arp just doesn't seem like it will do that. My ADHD get's crazy when i learn a new command. I start thinking about all the different ways I could use it.

 

[Sky-Knight]

ARP is a critical protocol to understand how Ethernet functions. But as a layer 2 protocol, it dies at the first router.

Malware can often steal valuable IP addresses to redirect traffic on layer 2 as well, which is always fun. Most of the time, all I use arp -a for is getting the MAC address of a server or near side firewall / router interface to make sure the IP address I'm pinging is actually impacting on the correct device. Again due to the above, it's not something you do every day but when you need it, you need it now.

 

[timeshifter]

On my Mac laptop I use a tool called iNet Network Scanner that gathers much of this automagically for me

The iNet Network Scanner and Toolbox for Mac

iNet Network Scanner for Macintosh - Get a profound overview about your computer network with this easy to understand toolbox. Not only for IT professionals.

inetapp.de

I'm sure there are similar programs for Windows but I'm not up to date on what they are.

 

[Markverhyden]

ARP has been around for ages. It's like so many other unused/deprecated commands it was brought in to help provide MS OS's tools similar to what existed in Unix, VMS, etc, etc.

To me it's just a discovery tool that's perfectly suited small LAN's. There's gobs of tools out there that will do what you want. But most require some $. On my macMini I use LanScan Pro.

 

[Sky-Knight]

Angry IP Scanner, NMap... there are more.

@Markverhyden ARP isn't a command, it's a protocol and a standard component of the TCP/IP stack. We all use it every single day, it's not deprecated, and it's not unused.

The arp command is relatively rarely used, but again the protocol every one of us in this thread used 30 times without knowing it to post here.

 

[britechguy]

The arp command is relatively rarely used

Yes, which is pretty much what Mark said. The discussion has been focused upon the arp command, from the first post, not the homonymously named component of the TCP/IP stack that the command relates to, directly. That actually matters.

 

[NETWizz]

I was looking for something to do tonight and I started researching Powershell and command line. Just learned about the arp command, and that got me thinking. arp -a will give you a list of all the devices on your network, and it will show the IP address, Mac address and status. Is there a way to get it to also show you the device name or manufacturer? I'd like to know that 192.168.1.32 is my Linux laptop, and 192.168.1.6 is my son's Xbox. Trouble is I don't know how to read that from a mac address.

Nslookup works well for DNS…. I doubt you are running a DNS server but you probably can on your home router.

 

[YeOldeStonecat]

Plenty of freebie network discovery tools around to do what the OP wants.

....I remember way back in the early days of broadband, when both cable and gen1 DSL shipped out plain "modems"...and most houses has just 1 computer...plugged directly in, pulling a public IP address. I was (still am)..a moderator at Speedguide.Net...which was a very popular broadband tweaking website and had very active forums way back then. As a mod I could see members IP addresses. There was one thread where a member was asking something about protection, firewall (probably a thread about zone alarm or one of those software firewalls that was popular back then). I saw this IP and fired off ARP and got his computers host name and posted it in the thread...he was all sorts of "Holy cow, wtf, how did...what?" LOL.

 

[HCHTech]

fired off ARP and got his computers host name and posted it in the thread.

Lesson #1 of the internet: Never piss off a computer guy with time on his hands - haha.