1

Yes, I know about ARP but that relies somewhat on IP layer connectivity in that the remote system must be configured with an IP on a recognized subnet. Is there any way to just dump off what mac addresses the interface has seen Ethernet frames from; either recently or since the interface was initialized -- I'm not picky which.

Oesor
  • 300
  • 1
  • 2
  • 16

4 Answers4

1

I think what you need is to set your NIC under promiscuous mode there are more than a dozen tools on that page that either through filtering or directly will let you do what you want.

user
  • 1,418
  • 8
  • 10
  • and tcpdump is most famous of them – rvs Sep 21 '11 at 16:47
  • Yeah, unfortunately packet capturing for a period of time and filtering the results isn't an option for this case. I'm looking for something more at the driver level that logs seen traffic and not something that needs to be done interactively. – Oesor Sep 21 '11 at 17:34
  • Yeah, like I thought there's nothing built into a base linux kernel that's going to do this sort of thing; the best bet for implementing this is packet capture & logging Ethernet frame MACs. Though it's unsuitable for my purposed; it's the answer. – Oesor Sep 22 '11 at 13:13
1

You might be able to do this with a kernel event tracer such as SystemTap or LTTng. SystemTap has probe::netdev.rx and LTTng has net_dev_receive, either of which should do what you want.

However, I agree with @user. Packet capture is probably your best bet.

Gerald Combs
  • 6,441
  • 25
  • 35
0

arp -an will show what you you are looking for. There is a time out for how long the MAC will stay in the table.

#arp -an                                                                                                                            
? (128.46.16.1) at f8:66:f2:9c:3d:25 [ether] on br0
Squidly
  • 1,765
  • 1
  • 14
  • 18
  • Like I stated in the question arp will not work; it's a glue between IP and Ethernet and thus requires that the IP address is recognized as valid in order to set up the glue. If an interface sees broadcast traffic sourced outside of configured networks on the interface it's not going to bother trying to set up the arp table entries for it. – Oesor Sep 21 '11 at 17:38
0

It really sounds like you are asking for arpwatch: http://www.securityfocus.com/tools/142

It will keep a database and email you when it sees new MAC addresses on any interface you configure it for.

polynomial
  • 4,016
  • 14
  • 24