Date: Wed, 13 Aug 2003 15:28:05 +0100 From: Nick Barnes <Nick.Barnes@pobox.com> To: Robert Watson <rwatson@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Translate MAC address to IP address Message-ID: <66708.1060784885@thrush.ravenbrook.com> In-Reply-To: Message from Robert Watson <rwatson@freebsd.org> <Pine.NEB.3.96L.1030813095530.72665B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 2003-08-13 13:58:51+0000, Robert Watson writes: > > On Wed, 13 Aug 2003, Nick Barnes wrote: > > > I have written a small utility for traffic volume monitoring on an > > Ethernet segment. It uses libpcap to capture the ethernet header of > > every packet and counts traffic volume by source and destination MAC. A > > bit like a lobotomized tcpdump (and indeed that is what I started with). > > The easiest way would actually be to expand your tool to also look at the > IP header and track usage at the IP level in the first place. But the IP addresses in the packets are not interesting to me. I want to track usage according to router on the local subnet, not according to IP address of the ultimate (possibly distant) sources and destinations. That's why I'm looking at the MAC addresses in the first place. I have a routing subnet, with a bunch of gateway machines on it. For the purposes of this application, I neither know nor care about the IP addresses of the machines behind those gateways. Packets coming through will have IP addresses of those distant machines but the MAC addresses of the gateways themselves. Other than that, the application is broadly similar to your bpfmon. Thanks for those sources. I'm leaning towards a routine which will send a simple packet (maybe a ping) to all IP addresses on the local subnet, then waits for a short while (long enough for all the ARP exchanges), and then harvest the results from the local ARP table. This seems easy enough to create (given the sources to ping and arp, of course). It won't work for machines which are off the network when I trigger the ARP; I guess I could do it at the beginning and then do it again if I see a MAC address which I didn't harvest. Nick B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?66708.1060784885>