| Author |
Message |
SnaZZZ
Guest
|
 Posted:
Fri Dec 17, 2004 11:07 am Post subject:
Mac address recovery |
|
|
Guys I hope someone can help with this Query.
I have a need to interrogate 24,000 networked devices in an organisation.
The only piece of info I require from the device is its Mac address.
Now I know a Fluke Device which is rather expensive is able to do this, but
I would like to know if there is any other way.
1. Not all devices have an IP address they are on DHCP, so a ping command
will not work. Once cable is removed no IP is assigned thus no Mac address.
2. Its needs to be an inexpensive way to get the Mac address either using a
laptop with crossover or a PDA type device with the right adaptor
3.The recovery of the Mac address will be done by semi-skilled staff (uni
students with little or no technical skill), so it needs to be easy
Can anyone suggest a device or solution.
Thanks in advance
SnaZZZ |
|
| Back to top |
|
 |
Guest
|
| Posted:
Fri Dec 17, 2004 11:07 am Post subject:
Re: Mac address recovery |
|
|
SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
| Quote: | Guys I hope someone can help with this Query.
I have a need to interrogate 24,000 networked devices in an organisation.
The only piece of info I require from the device is its Mac address.
Now I know a Fluke Device which is rather expensive is able to do this, but
I would like to know if there is any other way.
1. Not all devices have an IP address they are on DHCP, so a ping command
will not work. Once cable is removed no IP is assigned thus no Mac address.
2. Its needs to be an inexpensive way to get the Mac address either using a
laptop with crossover or a PDA type device with the right adaptor
3.The recovery of the Mac address will be done by semi-skilled staff (uni
students with little or no technical skill), so it needs to be easy
Can anyone suggest a device or solution.
Thanks in advance
SnaZZZ
|
snmp to your networking grear, ask for the mac-addr-table, correlate
with port used.
Why on earth do you need mac-address table for ? It won't be stable
for many minutes ...
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted:
Fri Dec 17, 2004 1:08 pm Post subject:
Re: Mac address recovery |
|
|
In article <LIuwd.75773$K7.41679@news-server.bigpond.net.au>,
SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
:I have a need to interrogate 24,000 networked devices in an organisation.
:The only piece of info I require from the device is its Mac address.
:Now I know a Fluke Device which is rather expensive is able to do this, but
:I would like to know if there is any other way.
It's pretty much impossible to do reliably.
:1. Not all devices have an IP address they are on DHCP, so a ping command
:will not work. Once cable is removed no IP is assigned thus no Mac address.
ARP tables time out after 3 minutes usually, so missing device
while it is talking is a very real possibility if you try to
proceed by way of SNMP probes of the routers and switches.
:2. Its needs to be an inexpensive way to get the Mac address either using a
:laptop with crossover or a PDA type device with the right adaptor
:3.The recovery of the Mac address will be done by semi-skilled staff (uni
:students with little or no technical skill), so it needs to be easy
Ummm, I just realized that your wording leaves open the possibility
that you are planning to have staff go around to each of the
devices and use the gizmo to probe the MAC address. Is that
correct? Or are you trying to do this in an automated way from
a management program?
If the idea is to go around to each device, then you have to be
aware that there is no way to provoke a device that is certain
to make it respond. Devices can do whatever they want when
they receive packets, including ignoring the packets.
The Fluke LanMeter and later decendants do not reliably discover
MAC addresses: they more or less just wait for the host to say
something.
Any given PC or Unix machine might be firewalled to not respond
to probes. Some systems will, though, ARP for their own IP
address as they come up (or as the interface is brought up),
so as to detect whether another machine is already using
that IP address. You can thus usually get a machine to say
-something- by rebooting it.
--
Inevitably, someone will flame me about this .signature. |
|
| Back to top |
|
|
SnaZZZ
Guest
|
| Posted:
Fri Dec 17, 2004 1:47 pm Post subject:
Re: Mac address recovery |
|
|
That is correct I will be getting people to walk the floors and visit the
device individually.
Most of the devices in question are Multifunction devices , ie photocopier
that is a fax and printer as well
Need a Mac address so that a third party billing audit application database
can be populated.
Snmp will them be used once the connection has been made. Bi-directional
information things like meter readings and consumable status etc.
SnaZZZ
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:cpu45a$855$1@canopus.cc.umanitoba.ca...
| Quote: | In article <LIuwd.75773$K7.41679@news-server.bigpond.net.au>,
SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
:I have a need to interrogate 24,000 networked devices in an organisation.
:The only piece of info I require from the device is its Mac address.
:Now I know a Fluke Device which is rather expensive is able to do this,
but
:I would like to know if there is any other way.
It's pretty much impossible to do reliably.
:1. Not all devices have an IP address they are on DHCP, so a ping command
:will not work. Once cable is removed no IP is assigned thus no Mac
address.
ARP tables time out after 3 minutes usually, so missing device
while it is talking is a very real possibility if you try to
proceed by way of SNMP probes of the routers and switches.
:2. Its needs to be an inexpensive way to get the Mac address either using
a
:laptop with crossover or a PDA type device with the right adaptor
:3.The recovery of the Mac address will be done by semi-skilled staff (uni
:students with little or no technical skill), so it needs to be easy
Ummm, I just realized that your wording leaves open the possibility
that you are planning to have staff go around to each of the
devices and use the gizmo to probe the MAC address. Is that
correct? Or are you trying to do this in an automated way from
a management program?
If the idea is to go around to each device, then you have to be
aware that there is no way to provoke a device that is certain
to make it respond. Devices can do whatever they want when
they receive packets, including ignoring the packets.
The Fluke LanMeter and later decendants do not reliably discover
MAC addresses: they more or less just wait for the host to say
something.
Any given PC or Unix machine might be firewalled to not respond
to probes. Some systems will, though, ARP for their own IP
address as they come up (or as the interface is brought up),
so as to detect whether another machine is already using
that IP address. You can thus usually get a machine to say
-something- by rebooting it.
--
Inevitably, someone will flame me about this .signature. |
|
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Dec 17, 2004 7:22 pm Post subject:
Re: Mac address recovery |
|
|
"SnaZZZ" <snazytecSPAMTRAP@hotmail.com> wrote:
| Quote: | That is correct I will be getting people to walk the floors and visit the
device individually.
Most of the devices in question are Multifunction devices , ie photocopier
that is a fax and printer as well
Need a Mac address so that a third party billing audit application database
can be populated.
Snmp will them be used once the connection has been made. Bi-directional
information things like meter readings and consumable status etc.
|
I'm not sure that's going to work like you think, but most MF devices
will give you their MAC address on their test page printout.
If the "third party billing audit application database" knows about
MAC addresses, why can't it be the one to find them? |
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Dec 17, 2004 8:57 pm Post subject:
Re: Mac address recovery |
|
|
SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
| Quote: | That is correct I will be getting people to walk the floors and visit the
device individually.
Most of the devices in question are Multifunction devices , ie photocopier
that is a fax and printer as well
Need a Mac address so that a third party billing audit application database
can be populated.
Snmp will them be used once the connection has been made. Bi-directional
information things like meter readings and consumable status etc.
|
Seems like a very expensive way of billing ( and easy to cirumvent too)
I guess it's "managements descition" ??
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx. |
|
| Back to top |
|
|
Erik Freitag
Guest
|
| Posted:
Fri Dec 17, 2004 9:54 pm Post subject:
Re: Mac address recovery |
|
|
On Fri, 17 Dec 2004 08:47:35 +0000, SnaZZZ wrote:
| Quote: | That is correct I will be getting people to walk the floors and visit the
device individually.
Most of the devices in question are Multifunction devices , ie photocopier
that is a fax and printer as well
Need a Mac address so that a third party billing audit application database
can be populated.
|
If your audit database uses MAC addresses, does your billing application
also use them? I assume so, since it sounds like you are using MAC
addresses to correlate the billing and the billing audit. That doesn't
sound like a good idea, since MAC addresses can be changed so easily.
| Quote: | Snmp will them be used once the connection has been made. Bi-directional
information things like meter readings and consumable status etc.
|
This is confusing, because SNMP doesn't need to know anything about MAC
addresses to collect data. You do need to make sure everything has an IP
address. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted:
Fri Dec 17, 2004 10:33 pm Post subject:
Re: Mac address recovery |
|
|
In article <pan.2004.12.17.16.54.44.229409@pobox.com>,
Erik Freitag <erik.freitag@pobox.com> wrote:
:This is confusing, because SNMP doesn't need to know anything about MAC
:addresses to collect data. You do need to make sure everything has an IP
:address.
I think what he was trying to say was that when the people who go
around to all the devices unplug the network cable and plug it
into their gizmo, that any DHCP assigned address will vanish,
so one cannot count on being able to ping the device.
It seems to me that this logic is a little bit circumspect.
If the device continues to hold on to the DCHP assigned address
until the end of its lease even when it detects a link transition,
then it has an IP address to ping, and an ICMP Echo packet
directed to 255.255.255.255 should return something provided that
the device responds to pings.
If the device instead notices the link transition and takes that as a
signal to disable the DHCP assigned address, then conversely when
the device notices the link coming back up again, the device would
DHCP asking for its new address, thus sending unsolicited packets
outward on the net; those DHCP packets will contain the MAC address
and that's all that is needed.
This suggests that a simple stategy:
Have the probe operator connect the network cable of the
target device to the probe, and have the operator tell the
probe to start. The probe would then take the NIC down
and bring it back up and wait a short time. If a packet
(any packet!) arrives within that short time, then the source
MAC address is the one you need, so display it and you are done.
If no packet arrives, then send an icmp echo to 255.255.255.255
and look for a return packet, pull it's MAC and be done.
This could probably be simplified further to have the
probe -always- send the icmp immediately after taking the NIC
back up: if the device sent out a DHCP or bootp or whatever
in response to the transition or just because it had traffic
waiting to send, then that packet will be buffered by the
probe receiver and the packet can be examined for its MAC.
If the device did not send anything upon noticing the
link coming back up, then the ping will trigger it to send
something and one can read that packet's headers. Thus one
doesn't need to wait first: one can just go ahead and ping
and then read the buffers for the first packet available.
--
Aleph sub {Aleph sub null} little, Aleph sub {Aleph sub one} little,
Aleph sub {Aleph sub two} little infinities... |
|
| Back to top |
|
|
Erik Freitag
Guest
|
| Posted:
Fri Dec 17, 2004 10:58 pm Post subject:
Re: Mac address recovery |
|
|
On Fri, 17 Dec 2004 17:33:32 +0000, Walter Roberson wrote:
| Quote: | In article <pan.2004.12.17.16.54.44.229409@pobox.com>,
Erik Freitag <erik.freitag@pobox.com> wrote:
:This is confusing, because SNMP doesn't need to know anything about MAC
:addresses to collect data. You do need to make sure everything has an IP
:address.
I think what he was trying to say was that when the people who go
around to all the devices unplug the network cable and plug it
into their gizmo, that any DHCP assigned address will vanish,
so one cannot count on being able to ping the device.
|
So why unplug it? It already has an address, ping it and look at the ARP
table, or pull the right SNMP MIB.
> [... some clever way to get the MAC address ...] |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted:
Fri Dec 17, 2004 11:20 pm Post subject:
Re: Mac address recovery |
|
|
In article <pan.2004.12.17.17.58.30.136642@pobox.com>,
Erik Freitag <erik.freitag@pobox.com> wrote:
|On Fri, 17 Dec 2004 17:33:32 +0000, Walter Roberson wrote:
|> I think what he was trying to say was that when the people who go
|> around to all the devices unplug the network cable and plug it
|> into their gizmo, that any DHCP assigned address will vanish,
|> so one cannot count on being able to ping the device.
|So why unplug it? It already has an address, ping it and look at the ARP
|table, or pull the right SNMP MIB.
The assumption is that it has a DHCP address. The person on the floor
isn't going to know what the current IP is. I would presume that
the person on the floor also doesn't have good tools for knowing
which datajack leads to which switchport.
I figure that the reason to run this all by having people wander around
probing, instead of centrally, is that there is a need to correlate
MACs with either physical locations or with asset numbers that are on
the devices, and that the location to closet/unit/port tables do not
exist or are out of date.
I've tried the central management route for a fraction of the number
of devices that the OP is looking at, and it isn't at all reliable.
I have a script that pings all my known subnet broadcast addresses
and then crawls the SNMP tables on all my known switches and
routers looking through the ip-to-media tables and the switch tables
to locate particular MAC addresses. More often than not it doesn't
find what I'm looking for: the 3 minute ARP timeout is a kicker.
What I should probably do is SPAN (mirror) the traffic through to
central monitoring stations. Unfortunately on at least some
switches or routers, when you SPAN traffic, the source MAC address
gets replaced by the MAC of the port being used to pass on
the SPAN'd traffic. And of course SPAN'ing isn't the best of
things if you have busy links.
--
"I want to make sure [a user] can't get through ... an online
experience without hitting a Microsoft ad"
-- Steve Ballmer [Microsoft Chief Executive] |
|
| Back to top |
|
|
stephen
Guest
|
| Posted:
Sat Dec 18, 2004 12:50 am Post subject:
Re: Mac address recovery |
|
|
"SnaZZZ" <snazytecSPAMTRAP@hotmail.com> wrote in message
news:H2xwd.75940$K7.14681@news-server.bigpond.net.au...
| Quote: | That is correct I will be getting people to walk the floors and visit the
device individually.
Most of the devices in question are Multifunction devices , ie photocopier
that is a fax and printer as well
Need a Mac address so that a third party billing audit application
database
can be populated.
Snmp will them be used once the connection has been made. Bi-directional
information things like meter readings and consumable status etc.
SnaZZZ
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:cpu45a$855$1@canopus.cc.umanitoba.ca...
In article <LIuwd.75773$K7.41679@news-server.bigpond.net.au>,
SnaZZZ <snazytecSPAMTRAP@hotmail.com> wrote:
:I have a need to interrogate 24,000 networked devices in an
organisation.
:The only piece of info I require from the device is its Mac address.
|
You are making a big assumption if you think a device will only have 1 MAC.
for an extreme case, a big Cisco switch or router may be allocated 1024 -
and although they may correlate to the port you may get different answers if
you ask in different ways.
In general, anything with more than 1 ethernet port may have more than 1
"native" mac address.
more seriously, MAC address get mutated in some circumstances - a cisco
router using VRRP or HSRP to give a resilient default gateway has a native
MAC and 1 or more assigned MACs. Last time i checked the hardware ran out of
table space at 16 or 256 MACs on an individual port......
Running DECnet or OSI on a device will make it change its operational MAC
address to suit the protocol.
even a printer with say an appletalk or wireless lan and ethernet ports may
have 2 mac addresses
| Quote: | :Now I know a Fluke Device which is rather expensive is able to do this,
but
:I would like to know if there is any other way.
It's pretty much impossible to do reliably.
:1. Not all devices have an IP address they are on DHCP, so a ping
command
:will not work. Once cable is removed no IP is assigned thus no Mac
address.
|
ping will still work even if you have a fixed IP on the device.
But - if you ping across a device across something like a firewall or a
router running proxy ARP, then the intervening device will answer with its
own MAC address
| Quote: |
ARP tables time out after 3 minutes usually, so missing device
while it is talking is a very real possibility if you try to
proceed by way of SNMP probes of the routers and switches.
:2. Its needs to be an inexpensive way to get the Mac address either
using
a
:laptop with crossover or a PDA type device with the right adaptor
:3.The recovery of the Mac address will be done by semi-skilled staff
(uni
:students with little or no technical skill), so it needs to be easy
|
So - what do you use the database for once you have it - are you going to
repeat the scan periodically?
After all, if you dont verify, some clever student with a random number
generator and a bit of programming is going to save himeself a lot of
effort....
And what happens when you upgrade a server from 10/100 to 1000, or the LAN
card fails and gets swapped out?
| Quote: |
Ummm, I just realized that your wording leaves open the possibility
that you are planning to have staff go around to each of the
devices and use the gizmo to probe the MAC address. Is that
correct? Or are you trying to do this in an automated way from
a management program?
If the idea is to go around to each device, then you have to be
aware that there is no way to provoke a device that is certain
to make it respond. Devices can do whatever they want when
they receive packets, including ignoring the packets.
The Fluke LanMeter and later decendants do not reliably discover
MAC addresses: they more or less just wait for the host to say
something.
Any given PC or Unix machine might be firewalled to not respond
to probes. Some systems will, though, ARP for their own IP
address as they come up (or as the interface is brought up),
so as to detect whether another machine is already using
that IP address. You can thus usually get a machine to say
-something- by rebooting it.
|
Some devices never generate a response to ARP (or any other packet)- a
sniffer or IDS probe springs to mind. But, since the standard says they must
have a MAC, it is there, it just wont tell you what it is.
| Quote: | --
Inevitably, someone will flame me about this .signature.
-- |
Regards
Stephen Hope - return address needs fewer xxs |
|
| Back to top |
|
|
Erik Freitag
Guest
|
| Posted:
Sat Dec 18, 2004 2:30 am Post subject:
Re: Mac address recovery |
|
|
On Fri, 17 Dec 2004 18:20:17 +0000, Walter Roberson wrote:
| Quote: | I figure that the reason to run this all by having people wander around
probing, instead of centrally, is that there is a need to correlate
MACs with either physical locations or with asset numbers that are on
the devices, and that the location to closet/unit/port tables do not
exist or are out of date.
|
Wow. With 24000 devices, even if it only takes a minute to visit and check
each one we're looking at 50 person days of effort, assuming an 8 hour
workday. The real time is probably closer to 10 minutes, unless all the
printers are very close together. I hope they'll be able to take the
opportunity to slap on an asset tag check and correct the inventory
records and labelling while they're there. Just the thought of having a
crew of "semi-skilled" people walking around a network this size and
unplugging cables gives me the willies - I wonder if they'll forget to
plug it back in, or plug it back into the wrong VLAN, or mung the cable.
| Quote: | I've tried the central management route for a fraction of the number of
devices that the OP is looking at, and it isn't at all reliable. I have
a script that pings all my known subnet broadcast addresses and then
crawls the SNMP tables on all my known switches and routers looking
through the ip-to-media tables and the switch tables to locate
particular MAC addresses. More often than not it doesn't find what I'm
looking for: the 3 minute ARP timeout is a kicker.
|
When you get into the 10s of thousands, I don't think there is a 100%
reliable way - by the time you're finished, the network and the inventory
have changed in non-trivial ways. Some other tools to consider would be
the DHCP database (which could be pattern-matched for printer-like NICs)
and maybe running arpwatch so disappearing arp tables aren't such a big
deal. I don't think this is a 1-solution problem. There are probably areas
where you could identify systems pretty reliably via IP and their DNS
entries, and some where you cannot.
| Quote: | What I should probably do is SPAN (mirror) the traffic through to
central monitoring stations. Unfortunately on at least some switches or
routers, when you SPAN traffic, the source MAC address gets replaced by
the MAC of the port being used to pass on the SPAN'd traffic. And of
course SPAN'ing isn't the best of things if you have busy links.
|
If you're just trying to collect MAC addresses and don't care so much
about which cubicle or office they are in, arpwatch might help. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in