Inverse ARP lookup

Question

How can I do an inverse ARP lookup in Windows and/or Linux? Say that I have the MAC address of wireless access point which is up and running in the network, but I forgot it's IP address?

I know I'd get flamed with this if I put it as an answer: http://www.experts-exchange.com/Networking/Q_20279274.html — Jeffrey, Aug 25 '09 at 20:08
@Jeffrey - Just mark it as a community wiki - And if the referrer is not google the link is useless anyway. — BinaryMisfit, Aug 25 '09 at 20:10
I believe the term is 'reverse arp', rather than inverse, you might have more luck searching with this. — Dentrasi, Aug 25 '09 at 20:15
I thought so too, but reverse arp is something else. It's asking the network what your own IP is (replaced by DHCP) — Bart van Heukelom, Aug 26 '09 at 12:56

score 22 · Accepted Answer · answered Aug 25 '09 at 20:14

22

The easiest way to do this is to ping the broadcast address (ping -b [broadcast address) on your subnet (often .255), and then dump your arp table (arp -a on Linux), and you should find the MAC of the machine, along with its IP.

answered Aug 25 '09 at 20:14

Dentrasi

11,155
4
27
28

3

Why the -b? On osx -b specifies an interface to bind to – mist Jul 28 '14 at 09:25
@mist `-b` is required on Linux to ping broadcast, but not on OSX – Markus Hedlund Dec 27 '15 at 10:46
1

Broadcast pings don't always work. I offer another solution in my answer. – Jonathan J Feb 27 '18 at 19:35

score 3 · Answer 2 · answered Feb 27 '18 at 19:33

Pinging the broadcast address only works for those things that respond to a broadcast ping, and not everything does. Another approach is to ping every address in the subnet, then review the ARP table.

In Windows, you can do this with:

for /l %i in (1,1,254) do ping -n 1 -w 50 192.168.0.%i

Basically, you are running ping in a 'for' loop. The arguments are thus:

/l -- causes 'for' to loop
%i -- incrementing variable
(start, increment, end) -- the start, increment, and ending values
-n -- number of packets to send
-w -- time in milliseconds to wait for a reply

After that completes, you can review the ARP table with

arp -a

Kind of a "brute force" method, but it works using existing tools. This usually will resolve hosts that don't respond to ping, as well.

score 3 · Answer 3 · answered Aug 25 '09 at 22:00

3

arping2 has an example arping-scan-net.sh which finds the IP address of a given mac address in a given network subnet. It works by scanning each ip address, so It works when broadcast pings are discarded (a very common situation)

answered Aug 25 '09 at 22:00

hayalci

1,682
12
17

The method provided in [`arping-scan-net.sh`](https://github.com/ThomasHabets/arping/blob/arping-2.x/extra/arping-scan-net.sh#L49) loops through IP addresses and invokes `arping -A -q -c 1 -T 192.168.0.$i $TARGET_MAC` which is timewise equivalent to pinging the given IP address. Is there any way to resolve IP address from given MAC with one utility invocation? – dma_k Dec 04 '19 at 15:48

score 3 · Answer 4 · answered Feb 28 '13 at 07:48

Also you can use nmap this is utility for network discovery, in Ubuntu you can simply install it from command line: apt-get install nmap For ping scan network use: nmap -sP xx.xx.xx.xx/yy as a result you find all hosts in network. You can use other scan technics (if host not respond to ICMP ping) for scanning the network.

score 2 · Answer 5 · answered Aug 25 '09 at 20:13

From a bad, bad place, written by scraig84:

Typically you would need to find it on one of your machine's arp tables. If there is a router in your network, this is usually the most central place to gather that type of info. On a cisco router, the command is "show arp" - it will give you a listing of the MAC addresses and their corresponding IP address. On a windows box, from a DOS prompt you can type "arp -a" to see similar output.

Inverse ARP lookup

5 Answers5