Convert Ip Address To Mac Address Software

  1. Convert A Mac Address To Ip
Learning has never been so easy!

Convert A Mac Address To Ip

As a Network Administrator/Engineer you may be asked to find MAC addresses and/or IP Addresses, hopefully this can make your job a little bit easier. These commands work on most Cisco Switches and Routers but sometimes the commands can vary from device to device.

5 Steps total

Step 1: Connect to your Cisco Devices

IP to mac mappings are stored in each device's ARP table (the phone book in your analogy). To simplify: In most cases, to resolve the MAC address associated with an IP address, you send a broadcast ARP packet (to all devices in the network), asking who has that IP address. The device with that IP address replies to the ARP (with its MAC address). I am looking for an easy way to convert a MAC address to the corresponding IP address in a local network. In my case, there are only two devices: a very normal PC (192.168.0.1) and a scientific instrument which has an arbitrary IP address (192.168.0.xxx) hard coded in its ROM.

Connect to the Switch/Router by using a console cable or a terminal emulator like Putty or Secure CRT. If you are successful it should look something like this.

Step 2: Find The MAC Addresses

On the layer 2 device (switch) enter the username and password if needed. Next enter 'enable' mode on the switch by typing enable. Next type the command 'show mac address-table'. If successful it should look like the picture. It's worth noting that on some Cisco devices the command 'show mac-address-table' also works.

Step 3: Find the IP Address

On the layer 3 device ( L3 switch or router) in my case I am using a router, enter the username and password if needed. Next enter 'enable' mode on the router by typing enable. Next type 'show ip arp' if done correctly you should get an output similar to the picture.

Step 4: Filtering the results on a Router

In the example I have provided there were only 9 IP addresses. However in the real world there could be dozens or even hundreds of IP addresses. To help filter the results on a router type 'show ip arp ?' You will see gigabitethernet' as an option this will let you filter results by interface or sub-interfaces. In my exmaple it typed 'sho ip arp gigabitEthernet 0/0.10' and that listed all IP's on my sub-interface.

Step 5: Filtering the results on a Layer 3 Switch

As stated in Step 4, you will likely have more than 9 IP Addresses. This can be made worse in a messy closet with a 48 port switch running the closet and maybe even some layer 2 switches under that. Luckily in addition to being able to filter by interface you can also filter by VLAN. So type in 'show ip arp ?' and you will see 'vlan' as a listed filter. As you can see I typed in 'sho ip arp vlan 20' and it listed only those IP's in vlan 20. In this case it was the vlan interface and a PC.

I hope this guide was helpful for you. If you aren't sure about something or feel like I missed a step, please let me know.

9 Comments

  • Anaheim
    GDBJNC Apr 27, 2018 at 01:15pm

    Great post.

    Another way to find that information is to first PING the address of the system you are looking for. Then issue:
    show arp i .

    This will then show you the MAC address associated with the IP address.

    Then issue:
    show mac address-table i

    This will give you the port that the device is currently connected.

  • Cayenne
    Jim6795 Apr 27, 2018 at 01:15pm

    Thanks for posting this *after* I finished a 'What's Connected Where' jihad on our network. :^D After beating Google to death over it, hoping for some useful tool, I ended up using exactly the same process (plus the online MAC address lookup to ID the device manufacturer), so I can affirm this works perfectly, if you work it.

    As you can see, the 'sh arp' or 'sh ip arp' commands also give you the MAC addresses, so essentially the 'sh mac add' is only to get the port in which the device is connected. It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp i 0/24' will show just the MAC address(es) on that port.)

    The amazing thing to me is, this far into the 21st Century, this is still the only way I could find to get this information -- i.e. to find out what's connected where. Did I mention it's a *lot* of work?

    (ETA: What if you can't get to the Console port? How do you get the IP address of the switch in order to SSH or (if you must) Telnet in?)

  • Datil
    CrimsonKidA Apr 27, 2018 at 02:04pm

    Good stuff, thanks for posting this! My go-to Cisco command is: show ip interface brief (show ip int bri). Another thing I've learned that is very helpful (I'm still a noob with Cisco stuff) is tab-completion and using a '?' after the start of a command, such as 'show ?'

  • Cayenne
    Ed Rubin Apr 27, 2018 at 03:09pm

    Unfortunately dumping the mac table and working through it is the only way to reliably find stuff and identify its switch port. I've done a similar process with HP switches. One thing that helps a lot is an ip scanner application that does MAC vendor ID lookups for you. This can help with jim6795's problem of identifying an undocumented switch IP since you can look for the the switch maker's vendor ID and then try ssh or telnet, or http/https depending on the product.

  • Jalapeno
    TS79 Apr 27, 2018 at 06:53pm

    Spiceworks has the ability to harvest this information using SNMP and will create a map showing which device is on which switchport. It must have the correct MIB installed for your switch and you must configure SNMP. The feature could use some more work but basic components are there.

  • Jalapeno
    SadTech0 Apr 27, 2018 at 08:06pm

    Thanks for posting this *after* I finished a 'What's Connected Where' jihad on our network. :^D After beating Google to death over it, hoping for some useful tool, I ended up using exactly the same process (plus the online MAC address lookup to ID the device manufacturer), so I can affirm this works perfectly, if you work it.

    As you can see, the 'sh arp' or 'sh ip arp' commands also give you the MAC addresses, so essentially the 'sh mac add' is only to get the port in which the device is connected. It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp i 0/24' will show just the MAC address(es) on that port.)

    The amazing thing to me is, this far into the 21st Century, this is still the only way I could find to get this information -- i.e. to find out what's connected where. Did I mention it's a *lot* of work?

    (ETA: What if you can't get to the Console port? How do you get the IP address of the switch in order to SSH or (if you must) Telnet in?)

    Couldn't you just use CDP? #show cdp nei detail will show you the ip of the connected devices.

  • Thai Pepper
    TaylorC Apr 27, 2018 at 08:45pm

    Hey everyone thanks for the great feed back, it's really cool having this featured. @SadTech0 if you cant to the console port and you don't know the IP Address you could use a tool like angry IP scanner and find the switch that way. CDP may or may not work depending on your network configuration and/or topology. Barring some major obstruction you should try to console in get the ip and start an inventory. Hope that helps.

  • Thai Pepper
    Todd_in_Nashville Apr 30, 2018 at 12:34pm

    Keep in mind, in some security minded environments, CDP may be disable if it's not needed. It's one of those things that give out unnecessary reconnaissance info to the bad guys. If one of your edge routers gets compromised, it can be used to start footprinting your internal network.

  • Thai Pepper
    John3367 Apr 30, 2018 at 08:51pm

    Great info..

    Another helpful thing you should add!

    SHOW INVENTORY ---> To show the SERIAL number of the Cisco device you are on.

    **I always use those commands you show to troublshoot. They are very helpful. I usually PING an IP address. then I type a 'show arp' and get its MAC address.. then I will type 'show mac-address table' which will show me which PORT the device is connected to!

Learning has never been so easy!

How to find an IP address when you have the MAC address of the device.

4 Steps total

Step 1: Open the command prompt

Click the Windows 'Start' button and select 'Run.' In the textbox, type 'cmd' and click the 'Ok' button. This opens a DOS prompt.

Step 2: Familiarize yourself with arp

Type 'arp' in the command prompt. This gives you a list of options to use with the arp command.

Step 3: List all MAC addresses

Type 'arp -a' in the command prompt. This lists a number of MAC addresses with the associated IP addresses. Since you have the MAC address, scroll down the list to find the associated IP address. The MAC address is shown in the 'Physical Address' column with the IP address in the 'Internet Address' column. An example of a table record is in Step 4.

Step 4: Evaluate results

The following is an example of ARP output. The first column is the IP address. The second column is the MAC address, and the third is the type of IP assigned--static or dynamic.

Mac

Internet address Physical Address Type

192.168.0.1 01-a3-56-b5-ff-22 static

Published: Jan 21, 2013 ยท Last Updated: Aug 03, 2017

References

  • How to Use a MAC Address to Find an IP Address

16 Comments

  • Datil
    Krizz Jan 21, 2013 at 10:36pm

    You've forgotten about one little thing: arp keeps mac<>ip association of recently contacted peers, so it's quite often not to find the mac<>ip association we're looking for, of machine that exists in the network. Prior to using arp -a it's wise to ping the host first.

  • Habanero
    Twon of An Jan 21, 2013 at 11:24pm

    Used in conjunction with ping (thanks Krizz), this is a good basic walk through. I can't go wrong with these steps!

  • Cayenne
    Syldra Jan 22, 2013 at 03:17pm

    I'm sorry but... if the thing is to find the IP address from the MAC, how will you ping the host first ?

  • Serrano
    Enzeder Jan 22, 2013 at 04:37pm

    I thought the aim of this exercise was to FIND an IP address. Doesn't using PING imply you already know the IP (or hostname) which makes ARP redundant? How do you PING a MAC?

    Assuming no IP or hostname info, I have used a portscanner (like LanSpy or Zenmap) to get MAC > IP info. Currently my preferred method if the device isn't listed in Spiceworks :-)

    There was a time when I was a baby admin and I didn't want to raise alarms by installing a scanner that I wrote a batch file (yes, that long ago) that PINGed every IP on a subnet, then immediately ran ARP redirecting output to a text file. But that depends on the device in question being set to respond to PING requests.

  • Pimiento
    christian.mcghee Dec 23, 2013 at 03:47am

    This does not work for any host on the other side of a router. Any hosts on the other side of the router will show the routers MAC address.

  • Serrano
    @Greg Mar 11, 2014 at 03:11pm

    I realize this is an old topic, but someone like myself may be looking for an answer. I became admin of a network with little over 200 devices, which none of the cabling was mapped. I was told I was responsible for the cabling, so I began looking for a way other than toning out all the cables. I was fortunate to have Cisco switches and Windows Server 2008. I was able to use the Cisco Network Assistant to grab MAC addresses and the port number, then in DHCP on the Server 2008 I could find the MAC and corresponding IP. Furthermore I could also get the computer name from DHCP and correlate that to which user was on the machine using PDQ inventory to see who was logged in to the machine. Most of this of course depends on the devices being in use. I've been able to create an accurate map of about 90% of my network without touching the cables.

  • Pimiento
    christopherblouch Jun 4, 2014 at 05:08pm

    I am interested in this thread, hopefully someone can help. There are 4 types of arp message: arp request, arp reply, rarp request, rarp reply. So, that being said, is it possible to manually send a rarp request? Sort of a arp based ping?There is arping, but we need rarping... if it exists. Of course, I understand that I can't arp outside my default gateway, but if there is a rarp request, how is it used inside the local network? Thanks to whatever guru can explain what we're missing.

  • Serrano
    Maxwell Brotherwood Jul 18, 2014 at 10:07am

    Great for finding an IP if you have the MAC address.

    My instance where I found this useful was after updating the firmware on a switch remotely via TFTP, the IP of the switch would change (making pinging redundant, obviously). Trying a network scan over Spiceworks or rescanning the single device would not update the IP and I needed an alternate way to find it.

    This method worked perfectly. Thank you. Hopefully this helps those trying to understand the purpose of this practice and how it was in-fact useful.

  • Pimiento
    robertrobinson2 Aug 4, 2014 at 04:30pm

    I understand the issues in attempting to use a MAC address to locate a device from outside of its local network.
    What puzzles me is how Honeywell Total Connect does this with their WiFi connected thermostats. The hardware configuration is: a Honeywell WiFi thermostat that is WiFi connected to a Netgear N600 router which uses DHCP to assign an IP adddress. The router is connected to Comcast with a Motorola SB6120 modem. Comcast assigns a system wide (dynamic) IP. There is no static IP.
    On initial setup, a WiFi connection is first established between the thermostat and the router. The thermostat's MAC and CRC and a username and password are entered into the Total Connect software setup. It is then possible to read or set thermostat values using Total Connect Web pages.
    I know how to do this with a static IP or a DNS service that automatically tracks changes in dynamic IP addresses.
    Does anyone understand how this works with Total Connect?

  • Tabasco
    Joe979 Sep 4, 2014 at 01:05pm

    This post was extremely helpful, thanks itdownsouth :) I used show interface to find MAC addresses on our switches (reason for this is poor network documentation and mis-labeled switchports and wall jacks...). I took the MAC addresses that I could not locate the hosts or ip addresses for, ran arp -a to list the address<>mac list, then one by one, nbtstat -A for each IP address I matched a MAC to from the unlabeled ports. Tedious, but found 5 or 6 now (seeing hexadecimal thoughts now though...).

  • Tabasco
    Joe979 Sep 4, 2014 at 01:12pm

    By the way, the reason this is working great for me is the lack of routers -- all switches, so if you have only one subnet like we do, this will do -- otherwise, you will probably need to login to the router or switch on the other side of the router to find MAC address tables on the other networks. You may not be able to see them all on the local host, as far as arp -a on the local host, but looking up the arp or hosts tables on switches and routers could be a possible solution for those with multiple subnets.

  • Jalapeno
    Jay196 Oct 21, 2014 at 03:28pm

    Use SuperScan to do a bulk ping of the entire network range. SuperScan 3 (I recommend) is a free tool by McAfee.

    Then use arp -a Find '5c-d9-98' to get for example all ping nodes with a manufacturer of Asus.

  • Datil
    WealthyEmu Mar 25, 2015 at 07:55pm

    There's also this:

    http://www.advanced-ip-scanner.com/

    It should be able to find most devices on the network. You can specify the range to scan and scan across subnets. I won't try to share all the features because quite frankly I don't know them all.

  • Pimiento
    amiruli Jul 4, 2015 at 10:18am

    If you want you can ping the broadcast address to ping everyone on the network then do arp -a

  • Pimiento
    chrisdahlkvist Nov 23, 2015 at 09:56am

    @RobertRobinson I'm the lead designer and project manager on the Honeywell systems.

    I can tell you exactly how I designed it. It's actually quite simple. Nothing is sent back to the unit. The unit is allowed access to the Internet via your setup and the router. As long as the unit has permission to make an outbound connection it will work. What happens is the unit makes a report to the server. If it needs to make a request then it gives the server a unique key. The server puts any needed data in an xml (readable) and the thermostat (or quite a few other devices) hits that URL a few seconds later (the device told the server where it would pick up that info).

    All your device needs is a simple read-only connection to the outside world. No need to download anything.
    It's a VERY simple process that I developed back in 1992 when the Interwebs were still pretty new to most people. There were many processes built off of this simple idea (it was pretty cutting edge when I first designed it). Store and forward, offline browsing, push technology, etc. all are based on this simple technology.

    Am I rich? Not even close. I was working on my PhD at the time and was hired by Honeywell to implement my design. I literally gave it away to the general public as is right.

    I hope that clears it up for you. If not, feel free to contact me for more information.

    Chris Dahlkvist
    [email protected]

  • prev
  • 1
  • 2
  • next