MAC Address Lookup using a Jumphost

dreamstime_xs_3303171
dreamstime_xs_3303171

Dear JDisc friends,

we have nearly finished a new feature. We will be able to get MAC addresses from devices in remote networks.

That doesn’t sound too spectacular, does it? However, this is a pretty important feature and I am going to explain why. Furthermore, it is not that easy to obtain mac addresses for each and every device.

There are two important reasons to get the mac addresses for as many devices as possible:

  1. Derive the manufacturer from the mac address
    Usually, the first three octets of a mac address identify the vendor. There are a lot of web pages to identify the manufacturer based on the mac address. One example of such a service is
    https://www.macvendorlookup.com/.
    You can also download the mac address to manufacturer database from various web pages. We have integrated the mapping in our product. This enables us to identify the manufacturer. Whenever JDisc Discovery has no access credentials or the device does not expose any standard protocol, then the device appeared as an unidentified device. However, with the mac address, we can at least resolve the manufacturer.
  2. Create a proper network topology
    Mac addresses are essential for creating a proper network switch topology. Switches are network layer 2 devices and thus work with mac addresses. Each switch maintains an internal mapping table that maps mac addresses to switch ports. This mapping table (e.g. downloadable from
    https://macaddress.io/database-download/csv) can be used to determine what device is connected to which switch port. The prerequisite is that you also have the corresponding mac address for a device. So it is essential to determine for as many devices the corresponding mac address! Without the mac address, the switch port assignment for devices cannot be done!

However, it is not always trivial to determine the mac address for a given IP address. When the device’s IP address resides within the same network segment as the discovery computer, then it is not difficult to obtain the device’s mac address. Simply ping the IP address and then run an ARP command to read the current ARP cache.

2020-01-29_17-57-28 ARP request after ping
ARP request after ping

The example above illustrates how it works. First, you ping the desired IP address (in this case 192.168.178.1). That will populate the local ARP cache with the corresponding mac address (here: cc:ce:1e:b4:40:01). Now you can use this mac address and use any page to lookup the vendor.

VendorLookup Using the macvendors.com page to lookup the vendor for a MAC address
Using the macvendors.com page to lookup the vendor for a MAC address

We can determine based on the mac address that the vendor for this device is a Germany based company named „AVM“.

But what happens when you try to look up the mac address for an IP address that resides in a different network. If you are familiar with basic IP networking, then you know that the approach described above does not work for remote networks that are connected via routers. The ARP request will not return the mac address for remote IP addresses.

As I mentioned before, you need to be on the same subnetwork in order to obtain the mac address. Therefore, we have implemented a kind of jump host solution to obtain mac addresses. Let’s assume, we have discovered a Windows or Linux server in the remote network. What we could do is logon to the Linux server in the remote network using SSH. Then you can ping the target IP address from the Linux server and use the Linux server’s ARP command to obtain the mac address for the desired IP address. The Linux server is used in this scenario as a kind of jump host to obtain the mac address.

ArpJumphost ARP Lookup using a Linux Jump host
ARP Lookup using a Linux Jump host

The image above illustrates how the discovery gets the mac address. First, it chooses a suitable Linux or Windows server within the remote network. Then it connects via SSH or Remote Login Agent to the remote computer. Once it is connected to the jump host, it pings the target IP address and then runs the ARP command on the jump host to determine the mac address.

EnableArpJumphost Enable ARP jump host usage
Enable ARP jump host usage

The above dialog illustrates where to configure the remote ARP jump host usage. When enabled, you can also configure the number of worker threads for each network. Each worker thread is able to perform one ARP request at a time. We can have multiple worker threads to speed up the discovery when multiple devices are being scanned in parallel.

This feature will be released with build 5017 pretty soon and hopefully, this feature improves the network topology and provides some more information on so far unknown devices.

Cheers,
Thomas

About The Author

Thomas Trenz
I own and manage JDisc and its network inventory and discovery products. Before I started JDisc, I worked quite a long time for Hewlett-Packard developing software for network assessments and inventory projects. Feel free to contact me on Linked-In or Xing.

Leave A Comment


Der Zeitraum für die reCAPTCHA-Überprüfung ist abgelaufen. Bitte laden Sie die Seite neu.