Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Aug 2003 15:28:05 +0100
From:      Nick Barnes <Nick.Barnes@pobox.com>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Translate MAC address to IP address 
Message-ID:  <66708.1060784885@thrush.ravenbrook.com>
In-Reply-To: Message from Robert Watson <rwatson@freebsd.org>  <Pine.NEB.3.96L.1030813095530.72665B-100000@fledge.watson.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
At 2003-08-13 13:58:51+0000, Robert Watson writes:
> 
> On Wed, 13 Aug 2003, Nick Barnes wrote:
> 
> > I have written a small utility for traffic volume monitoring on an
> > Ethernet segment.  It uses libpcap to capture the ethernet header of
> > every packet and counts traffic volume by source and destination MAC.  A
> > bit like a lobotomized tcpdump (and indeed that is what I started with). 
> 
> The easiest way would actually be to expand your tool to also look at the
> IP header and track usage at the IP level in the first place.

But the IP addresses in the packets are not interesting to me.  I want
to track usage according to router on the local subnet, not according
to IP address of the ultimate (possibly distant) sources and
destinations.  That's why I'm looking at the MAC addresses in the
first place.

I have a routing subnet, with a bunch of gateway machines on it.  For
the purposes of this application, I neither know nor care about the IP
addresses of the machines behind those gateways.  Packets coming
through will have IP addresses of those distant machines but the MAC
addresses of the gateways themselves.  Other than that, the
application is broadly similar to your bpfmon.  Thanks for those
sources.

I'm leaning towards a routine which will send a simple packet (maybe a
ping) to all IP addresses on the local subnet, then waits for a short
while (long enough for all the ARP exchanges), and then harvest the
results from the local ARP table.  This seems easy enough to create
(given the sources to ping and arp, of course).  It won't work for
machines which are off the network when I trigger the ARP; I guess I
could do it at the beginning and then do it again if I see a MAC
address which I didn't harvest.

Nick B



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?66708.1060784885>