From owner-freebsd-net@FreeBSD.ORG Wed Aug 13 07:30:40 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1477C37B404; Wed, 13 Aug 2003 07:30:40 -0700 (PDT) Received: from raven.ravenbrook.com (raven.ravenbrook.com [193.82.131.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF1FF43F93; Wed, 13 Aug 2003 07:30:38 -0700 (PDT) (envelope-from nb@ravenbrook.com) Received: from thrush.ravenbrook.com (thrush.ravenbrook.com [193.112.141.249]) by raven.ravenbrook.com (8.12.6/8.12.6) with ESMTP id h7DEUZuL044954; Wed, 13 Aug 2003 15:30:35 +0100 (BST) (envelope-from nb@ravenbrook.com) Received: from thrush.ravenbrook.com (localhost [127.0.0.1]) by thrush.ravenbrook.com (8.12.9/8.12.9) with ESMTP id h7DES5nH066709; Wed, 13 Aug 2003 15:28:05 +0100 (BST) (envelope-from nb@thrush.ravenbrook.com) From: Nick Barnes To: Robert Watson In-Reply-To: Message from Robert Watson Date: Wed, 13 Aug 2003 15:28:05 +0100 Message-ID: <66708.1060784885@thrush.ravenbrook.com> Sender: nb@ravenbrook.com cc: freebsd-net@freebsd.org Subject: Re: Translate MAC address to IP address X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Aug 2003 14:30:40 -0000 At 2003-08-13 13:58:51+0000, Robert Watson writes: > > On Wed, 13 Aug 2003, Nick Barnes wrote: > > > I have written a small utility for traffic volume monitoring on an > > Ethernet segment. It uses libpcap to capture the ethernet header of > > every packet and counts traffic volume by source and destination MAC. A > > bit like a lobotomized tcpdump (and indeed that is what I started with). > > The easiest way would actually be to expand your tool to also look at the > IP header and track usage at the IP level in the first place. But the IP addresses in the packets are not interesting to me. I want to track usage according to router on the local subnet, not according to IP address of the ultimate (possibly distant) sources and destinations. That's why I'm looking at the MAC addresses in the first place. I have a routing subnet, with a bunch of gateway machines on it. For the purposes of this application, I neither know nor care about the IP addresses of the machines behind those gateways. Packets coming through will have IP addresses of those distant machines but the MAC addresses of the gateways themselves. Other than that, the application is broadly similar to your bpfmon. Thanks for those sources. I'm leaning towards a routine which will send a simple packet (maybe a ping) to all IP addresses on the local subnet, then waits for a short while (long enough for all the ARP exchanges), and then harvest the results from the local ARP table. This seems easy enough to create (given the sources to ping and arp, of course). It won't work for machines which are off the network when I trigger the ARP; I guess I could do it at the beginning and then do it again if I see a MAC address which I didn't harvest. Nick B