From owner-freebsd-net@FreeBSD.ORG  Wed Aug 13 05:25:32 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 81C5B37B404
	for <freebsd-net@freebsd.org>; Wed, 13 Aug 2003 05:25:32 -0700 (PDT)
Received: from raven.ravenbrook.com (raven.ravenbrook.com [193.82.131.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 26D6343FBF
	for <freebsd-net@freebsd.org>; Wed, 13 Aug 2003 05:25:31 -0700 (PDT)
	(envelope-from nb@ravenbrook.com)
Received: from thrush.ravenbrook.com (thrush.ravenbrook.com [193.112.141.249])
	by raven.ravenbrook.com (8.12.6/8.12.6) with ESMTP id h7DCPQuL043687;
	Wed, 13 Aug 2003 13:25:26 +0100 (BST)
	(envelope-from nb@ravenbrook.com)
Received: from thrush.ravenbrook.com (localhost [127.0.0.1])
	by thrush.ravenbrook.com (8.12.9/8.12.9) with ESMTP id h7DCMunH065998;
	Wed, 13 Aug 2003 13:22:57 +0100 (BST)
	(envelope-from nb@thrush.ravenbrook.com)
From: Nick Barnes <Nick.Barnes@pobox.com>
To: Mitch Collinsworth <mitch@ccmr.cornell.edu>
In-Reply-To: Message from Mitch Collinsworth <mitch@ccmr.cornell.edu> 
	<Pine.LNX.4.51.0308130808520.20273@saruman.ccmr.cornell.edu> 
Date: Wed, 13 Aug 2003 13:22:56 +0100
Message-ID: <65997.1060777376@thrush.ravenbrook.com>
Sender: nb@ravenbrook.com
cc: freebsd-net@freebsd.org
Subject: Re: Translate MAC address to IP address 
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2003 12:25:32 -0000

At 2003-08-13 12:13:24+0000, Mitch Collinsworth writes:
> 
> If you ping the broadcast addr you will (should) get a reply from
> all hosts.  This will give you a full arp table that can be
> grep'd programatically.  The only hitch is that it's possible for
> someone to put a firewall or other custom setup on a machine to
> prevent it from replying to ping.

A good idea, except that a lot of OSes these days are configured to
ignore broadcast pings.  That includes FreeBSD, by default (although
you can change it with the net.inet.icmp.bmcastecho sysctl).  This is
because forged broadcast pings were used as DoS attack amplifiers.
The only two machines on our office subnet which respond to a
broadcast ping are a PC running Windows NT4 and an HP LaserJet
printer.  I get nothing back from machines running Windows XP, FreeBSD
4.x, and Mac OS X.

> Another way would be to decode packets to read the IP from address.
> Not sure if tcpdump has that ability or it it would take some
> coding.  I've always done it with arp myself.

I could do that, but on the subnets I'm interested in, the IP
addresses in most of the packets aren't local to the subnet (most of
the machines on it are routers of one sort or another).

Nick B