Wireshark mailing list archives

Re: newbie MAC->IP question

From: Guy Harris <guy () alum mit edu>
Date: Sat, 19 Jun 2010 12:47:20 -0700


On Jun 18, 2010, at 7:22 AM, János Löbb wrote:

Looking the Ethernet traffic I see the routers and switches with their ethernet/MAC address.  However they do not 
show up in the IP traffic.  When I look the Ethernet frame, I again see the MAC address, but I do not see its IP 
address.


I.e., a packet from or to a router or switch has the source IP address of the machine that ultimately sent it, not the 
IP address of the router?  (That is, of course, as it should be.)

Can Wireshark - or any other program on a Mac - translate a MAC address into an IP ?


There isn't necessarily a permanent mapping between a MAC address and an IP address; a machine might, for example, be 
using DHCP, and, if it renews a DHCP lease, it might get a different IP address from the one it had before.

That's not likely to happen for a router - but the only way to find out a router's IP address, given its MAC address, 
would be to either

        1) ask the network administrator what IP address is assigned to the router with an interface with a given MAC 
address;

        2) send out a Reverse ARP packet, asking what the IP address is for the given MAC address, and hope somebody 
responds;

        3) hope that some file on your machine has that mapping, or that some network service offers that mapping.

I looked at man arp, but I do not see it there either and arp -a do not show the router.


"arp -a" will show the IP-to-MAC-address mappings your machine has; if your machine isn't routing traffic through that 
router, or otherwise communicating with that router, it won't need, and thus probably won't have, an ARP entry for that 
router.  (If your machine isn't plugged into a network into which that router is also plugged, it almost certainly 
won't have it.)

P.S.  How can I capture only routers and Switch traffic and ignore all the workstations and vice versa  ?


You'd have to construct a capture filter that looks for the MAC addresses of the machines whose traffic you want to 
capture, and doesn't mention the MAC addresses of the machines whose traffic you don't want to capture.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

newbie MAC->IP question János Löbb (Jun 18)
- Re: newbie MAC->IP question Martin Visser (Jun 19)
- Re: newbie MAC->IP question Guy Harris (Jun 19)
  - Re: newbie MAC->IP question Thierry Emmanuel (Jun 21)