Type 'arp -a' in the command prompt. This lists a number of MAC addresses with the associated IP addresses. Since you have the MAC address, scroll down the list to find the associated IP address. The MAC address is shown in the 'Physical Address' column with the IP address in the 'Internet Address' column. An example of a table record is in Step 4. I have the IP address and I and trying to find the mac address or interface that connected to the server. Could you tell me the command or the way to find the Switch port or mac address if you only have ip address. Regards Star 0 Helpful Reply. Patrick Harrold. Beginner In response to Star. These two addresses originate from different sources. Simply stated, a computer's own hardware configuration determines its MAC address while the configuration of the network it is connected to determines its IP address. However, computers connected to the same TCP/IP local network can determine each other's MAC addresses.
As a Network Administrator/Engineer you may be asked to find MAC addresses and/or IP Addresses, hopefully this can make your job a little bit easier. These commands work on most Cisco Switches and Routers but sometimes the commands can vary from device to device.
5 Steps total
Step 1: Connect to your Cisco Devices
Connect to the Switch/Router by using a console cable or a terminal emulator like Putty or Secure CRT. If you are successful it should look something like this.
Step 2: Find The MAC Addresses
On the layer 2 device (switch) enter the username and password if needed. Next enter 'enable' mode on the switch by typing enable. Next type the command 'show mac address-table'. If successful it should look like the picture. It's worth noting that on some Cisco devices the command 'show mac-address-table' also works.
Step 3: Find the IP Address
On the layer 3 device ( L3 switch or router) in my case I am using a router, enter the username and password if needed. Next enter 'enable' mode on the router by typing enable. Next type 'show ip arp' if done correctly you should get an output similar to the picture.
Step 4: Filtering the results on a Router
In the example I have provided there were only 9 IP addresses. However in the real world there could be dozens or even hundreds of IP addresses. To help filter the results on a router type 'show ip arp ?' You will see gigabitethernet' as an option this will let you filter results by interface or sub-interfaces. In my exmaple it typed 'sho ip arp gigabitEthernet 0/0.10' and that listed all IP's on my sub-interface.
Step 5: Filtering the results on a Layer 3 Switch
As stated in Step 4, you will likely have more than 9 IP Addresses. This can be made worse in a messy closet with a 48 port switch running the closet and maybe even some layer 2 switches under that. Luckily in addition to being able to filter by interface you can also filter by VLAN. So type in 'show ip arp ?' and you will see 'vlan' as a listed filter. As you can see I typed in 'sho ip arp vlan 20' and it listed only those IP's in vlan 20. In this case it was the vlan interface and a PC.
I hope this guide was helpful for you. If you aren't sure about something or feel like I missed a step, please let me know.
9 Comments
- AnaheimGDBJNC Apr 27, 2018 at 01:15pm
Great post.
Another way to find that information is to first PING the address of the system you are looking for. Then issue:
show arp | i .This will then show you the MAC address associated with the IP address.
Then issue:
show mac address-table | iThis will give you the port that the device is currently connected.
- CayenneJim6795 Apr 27, 2018 at 01:15pm
Thanks for posting this *after* I finished a 'What's Connected Where' jihad on our network. :^D After beating Google to death over it, hoping for some useful tool, I ended up using exactly the same process (plus the online MAC address lookup to ID the device manufacturer), so I can affirm this works perfectly, if you work it.
As you can see, the 'sh arp' or 'sh ip arp' commands also give you the MAC addresses, so essentially the 'sh mac add' is only to get the port in which the device is connected. It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp | i 0/24' will show just the MAC address(es) on that port.)
The amazing thing to me is, this far into the 21st Century, this is still the only way I could find to get this information -- i.e. to find out what's connected where. Did I mention it's a *lot* of work?
(ETA: What if you can't get to the Console port? How do you get the IP address of the switch in order to SSH or (if you must) Telnet in?)
- DatilCrimsonKidA Apr 27, 2018 at 02:04pm
Good stuff, thanks for posting this! My go-to Cisco command is: show ip interface brief (show ip int bri). Another thing I've learned that is very helpful (I'm still a noob with Cisco stuff) is tab-completion and using a '?' after the start of a command, such as 'show ?'
- CayenneEd Rubin Apr 27, 2018 at 03:09pm
Unfortunately dumping the mac table and working through it is the only way to reliably find stuff and identify its switch port. I've done a similar process with HP switches. One thing that helps a lot is an ip scanner application that does MAC vendor ID lookups for you. This can help with jim6795's problem of identifying an undocumented switch IP since you can look for the the switch maker's vendor ID and then try ssh or telnet, or http/https depending on the product.
- JalapenoTS79 Apr 27, 2018 at 06:53pm
Spiceworks has the ability to harvest this information using SNMP and will create a map showing which device is on which switchport. It must have the correct MIB installed for your switch and you must configure SNMP. The feature could use some more work but basic components are there.
- JalapenoSadTech0 Apr 27, 2018 at 08:06pm
Thanks for posting this *after* I finished a 'What's Connected Where' jihad on our network. :^D After beating Google to death over it, hoping for some useful tool, I ended up using exactly the same process (plus the online MAC address lookup to ID the device manufacturer), so I can affirm this works perfectly, if you work it.
As you can see, the 'sh arp' or 'sh ip arp' commands also give you the MAC addresses, so essentially the 'sh mac add' is only to get the port in which the device is connected. It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp | i 0/24' will show just the MAC address(es) on that port.)
The amazing thing to me is, this far into the 21st Century, this is still the only way I could find to get this information -- i.e. to find out what's connected where. Did I mention it's a *lot* of work?
(ETA: What if you can't get to the Console port? How do you get the IP address of the switch in order to SSH or (if you must) Telnet in?)
Couldn't you just use CDP? #show cdp nei detail will show you the ip of the connected devices.
- Thai PepperTaylorC Apr 27, 2018 at 08:45pm
Hey everyone thanks for the great feed back, it's really cool having this featured. @SadTech0 if you cant to the console port and you don't know the IP Address you could use a tool like angry IP scanner and find the switch that way. CDP may or may not work depending on your network configuration and/or topology. Barring some major obstruction you should try to console in get the ip and start an inventory. Hope that helps.
- Thai PepperTodd_in_Nashville Apr 30, 2018 at 12:34pm
Keep in mind, in some security minded environments, CDP may be disable if it's not needed. It's one of those things that give out unnecessary reconnaissance info to the bad guys. If one of your edge routers gets compromised, it can be used to start footprinting your internal network.
- Thai PepperJohn3367 Apr 30, 2018 at 08:51pm
Great info..
Another helpful thing you should add!
SHOW INVENTORY ---> To show the SERIAL number of the Cisco device you are on.
**I always use those commands you show to troublshoot. They are very helpful. I usually PING an IP address. then I type a 'show arp' and get its MAC address.. then I will type 'show mac-address table' which will show me which PORT the device is connected to!
How to find an IP address when you have the MAC address of the device.
4 Steps total
Step 1: Open the command prompt
Click the Windows 'Start' button and select 'Run.' In the textbox, type 'cmd' and click the 'Ok' button. This opens a DOS prompt.
Step 2: Familiarize yourself with arp
Type 'arp' in the command prompt. This gives you a list of options to use with the arp command.
Step 3: List all MAC addresses
Type 'arp -a' in the command prompt. This lists a number of MAC addresses with the associated IP addresses. Since you have the MAC address, scroll down the list to find the associated IP address. The MAC address is shown in the 'Physical Address' column with the IP address in the 'Internet Address' column. An example of a table record is in Step 4.
Step 4: Evaluate results
The following is an example of ARP output. The first column is the IP address. The second column is the MAC address, and the third is the type of IP assigned--static or dynamic.
Internet address Physical Address Type
How To Find Mac Address For Iphone
192.168.0.1 01-a3-56-b5-ff-22 static
References
- How to Use a MAC Address to Find an IP Address
Find Mac Address For Ip Cmd
16 Comments
- DatilKrizz Jan 21, 2013 at 10:36pm
You've forgotten about one little thing: arp keeps mac<>ip association of recently contacted peers, so it's quite often not to find the mac<>ip association we're looking for, of machine that exists in the network. Prior to using arp -a it's wise to ping the host first.
- HabaneroTwon of An Jan 21, 2013 at 11:24pm
Used in conjunction with ping (thanks Krizz), this is a good basic walk through. I can't go wrong with these steps!
- CayenneSyldra Jan 22, 2013 at 03:17pm
I'm sorry but... if the thing is to find the IP address from the MAC, how will you ping the host first ?
- SerranoEnzeder Jan 22, 2013 at 04:37pm
I thought the aim of this exercise was to FIND an IP address. Doesn't using PING imply you already know the IP (or hostname) which makes ARP redundant? How do you PING a MAC?
Assuming no IP or hostname info, I have used a portscanner (like LanSpy or Zenmap) to get MAC > IP info. Currently my preferred method if the device isn't listed in Spiceworks :-)
There was a time when I was a baby admin and I didn't want to raise alarms by installing a scanner that I wrote a batch file (yes, that long ago) that PINGed every IP on a subnet, then immediately ran ARP redirecting output to a text file. But that depends on the device in question being set to respond to PING requests.
- Pimientochristian.mcghee Dec 23, 2013 at 03:47am
This does not work for any host on the other side of a router. Any hosts on the other side of the router will show the routers MAC address.
- Serrano@Greg Mar 11, 2014 at 03:11pm
I realize this is an old topic, but someone like myself may be looking for an answer. I became admin of a network with little over 200 devices, which none of the cabling was mapped. I was told I was responsible for the cabling, so I began looking for a way other than toning out all the cables. I was fortunate to have Cisco switches and Windows Server 2008. I was able to use the Cisco Network Assistant to grab MAC addresses and the port number, then in DHCP on the Server 2008 I could find the MAC and corresponding IP. Furthermore I could also get the computer name from DHCP and correlate that to which user was on the machine using PDQ inventory to see who was logged in to the machine. Most of this of course depends on the devices being in use. I've been able to create an accurate map of about 90% of my network without touching the cables.
- Pimientochristopherblouch Jun 4, 2014 at 05:08pm
I am interested in this thread, hopefully someone can help. There are 4 types of arp message: arp request, arp reply, rarp request, rarp reply. So, that being said, is it possible to manually send a rarp request? Sort of a arp based ping?There is arping, but we need rarping... if it exists. Of course, I understand that I can't arp outside my default gateway, but if there is a rarp request, how is it used inside the local network? Thanks to whatever guru can explain what we're missing.
- SerranoMaxwell Brotherwood Jul 18, 2014 at 10:07am
Great for finding an IP if you have the MAC address.
My instance where I found this useful was after updating the firmware on a switch remotely via TFTP, the IP of the switch would change (making pinging redundant, obviously). Trying a network scan over Spiceworks or rescanning the single device would not update the IP and I needed an alternate way to find it.
This method worked perfectly. Thank you. Hopefully this helps those trying to understand the purpose of this practice and how it was in-fact useful.
- Pimientorobertrobinson2 Aug 4, 2014 at 04:30pm
I understand the issues in attempting to use a MAC address to locate a device from outside of its local network.
What puzzles me is how Honeywell Total Connect does this with their WiFi connected thermostats. The hardware configuration is: a Honeywell WiFi thermostat that is WiFi connected to a Netgear N600 router which uses DHCP to assign an IP adddress. The router is connected to Comcast with a Motorola SB6120 modem. Comcast assigns a system wide (dynamic) IP. There is no static IP.
On initial setup, a WiFi connection is first established between the thermostat and the router. The thermostat's MAC and CRC and a username and password are entered into the Total Connect software setup. It is then possible to read or set thermostat values using Total Connect Web pages.
I know how to do this with a static IP or a DNS service that automatically tracks changes in dynamic IP addresses.
Does anyone understand how this works with Total Connect? - TabascoJoe979 Sep 4, 2014 at 01:05pm
This post was extremely helpful, thanks itdownsouth :) I used show interface to find MAC addresses on our switches (reason for this is poor network documentation and mis-labeled switchports and wall jacks...). I took the MAC addresses that I could not locate the hosts or ip addresses for, ran arp -a to list the address<>mac list, then one by one, nbtstat -A for each IP address I matched a MAC to from the unlabeled ports. Tedious, but found 5 or 6 now (seeing hexadecimal thoughts now though...).
- TabascoJoe979 Sep 4, 2014 at 01:12pm
By the way, the reason this is working great for me is the lack of routers -- all switches, so if you have only one subnet like we do, this will do -- otherwise, you will probably need to login to the router or switch on the other side of the router to find MAC address tables on the other networks. You may not be able to see them all on the local host, as far as arp -a on the local host, but looking up the arp or hosts tables on switches and routers could be a possible solution for those with multiple subnets.
- JalapenoJay196 Oct 21, 2014 at 03:28pm
Use SuperScan to do a bulk ping of the entire network range. SuperScan 3 (I recommend) is a free tool by McAfee.
Then use arp -a | Find '5c-d9-98' to get for example all ping nodes with a manufacturer of Asus.
- DatilWealthyEmu Mar 25, 2015 at 07:55pm
There's also this:
http://www.advanced-ip-scanner.com/
It should be able to find most devices on the network. You can specify the range to scan and scan across subnets. I won't try to share all the features because quite frankly I don't know them all.
- Pimientoamiruli Jul 4, 2015 at 10:18am
If you want you can ping the broadcast address to ping everyone on the network then do arp -a
- Pimientochrisdahlkvist Nov 23, 2015 at 09:56am
@RobertRobinson I'm the lead designer and project manager on the Honeywell systems.
I can tell you exactly how I designed it. It's actually quite simple. Nothing is sent back to the unit. The unit is allowed access to the Internet via your setup and the router. As long as the unit has permission to make an outbound connection it will work. What happens is the unit makes a report to the server. If it needs to make a request then it gives the server a unique key. The server puts any needed data in an xml (readable) and the thermostat (or quite a few other devices) hits that URL a few seconds later (the device told the server where it would pick up that info).
All your device needs is a simple read-only connection to the outside world. No need to download anything.
It's a VERY simple process that I developed back in 1992 when the Interwebs were still pretty new to most people. There were many processes built off of this simple idea (it was pretty cutting edge when I first designed it). Store and forward, offline browsing, push technology, etc. all are based on this simple technology.Am I rich? Not even close. I was working on my PhD at the time and was hired by Honeywell to implement my design. I literally gave it away to the general public as is right.
I hope that clears it up for you. If not, feel free to contact me for more information.
Chris Dahlkvist
chris@usarf.org
Find Mac Address For Ip
- 1
- 2