ARP table

B

balanga

I don't really know much about the arp table but was surprised earlier when arp -a did not show a particular MAC address, but I found I could ping the address associated with that MAC address.

Is this to be expected?

If so, what is the most reliable way of being able to tell if that MAC address is active, given that the IP address changes from time to time?
 
Check the rARP request or look for arp ping.

If you have DHCP server in your network then you can also check the DHCP bindings and search for that MAC address there.
If you have managed switch then you can also check it's arp table for that MAC address.
 
If there's no traffic to/from that host the arp table entry will expire, this is normal and expected/wanted behaviour. So from a host in the network you can only try to arping(8) that mac addres periodically to check if its still there and renew the table entry.
The ARP table also doesn't tell you if a host is still there/active - it can as well have gone offline but the entry hasn't expired yet.

If you want to monitor that mac address, you might want to check the arp table and then the associated port on the switch if its a wired client, or on the access point / wireless controller.
The DHCP server might also be a valid source e.g. if you want to trace a mac address to its current IP.
So what problem exactly are you trying to solve here?
 
The IP address might be behind a router. ARP is only used on directly connected networks (broadcast domain), if the IP packet has to travel through a router then your ARP table is only going to contain the router's MAC address.
 
Thanks for the pointers to arping().

I've looked at the manpage but haven't found an option to arping a MAC address and have it simply return the IP address if it finds it. Is there such a thing or do I need to parse the output?

Maybe I have missed such an option if it exists...
 
balanga said:
I've looked at the manpage but haven't found an option to arping a MAC address and have it simply return the IP address if it finds it
Click to expand...
thats the normal mode when pinging a mac address.

from arping(8):
Code: 
EXAMPLES
[...]
       # arping -c 3 00:11:85:4c:01:01
       ARPING 00:11:85:4c:01:01
       60 bytes from 88.1.180.225 (00:11:85:4c:01:01): icmp_seq=0 time=13.367 msec
       60 bytes from 88.1.180.225 (00:11:85:4c:01:01): icmp_seq=1 time=13.929 msec
       60 bytes from 88.1.180.225 (00:11:85:4c:01:01): icmp_seq=2 time=13.929 msec

       --- 00:11:85:4c:01:01 statistics ---
       3 packets transmitted, 3 packets received,   0% unanswered
 
You must log in or register to reply here.
Back
Top