0

I know this question was flagged "off-topic" and "non-professional", but when creating a gateway or IDS, this might be quite relevant. Also, Google finds nothing usable...

There is a thing called MAC-table (or CAM-table) in every common switch (according to this article: https://en.wikipedia.org/wiki/CAM_Table)

If the switch knows exactly the route to a MAC address, and is advertising them on every port (seems logical)...

  • Assuming a Linux box, is it possible to query every MAC address in the network on a specified interface?
Zoltan Szeder
  • 98
  • 1
  • 9

2 Answers2

2

I generally install arpalert on a system for this purpose. It is a daemon, that uses libcap to watch traffic. It keeps a database of mac addresses per interface. It can also watch for some unusual types of events and send notifications. It keeps track of the last usage, and it will keep the database across reboots (in comparison to just setting up a bridge interface).

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • As I understand, this solution only shows the MAC addresses, which were found in an arp request package (...tell 192.168.0.x) or where the arp response was served to my machine. It cannot show the interfaces where no IP was supplied (like certain sniffing machines) – Zoltan Szeder Mar 10 '15 at 08:40
1

Well to be fair, everyone says "arp -a", but I am not satisfied with this answer, since it only shows the known MAC addresses (and their corresponding IP).

To list all addresses on a port, you'll need to change your current network configuration. We will use the bridge-utils package, but any other bridge implementation (eg.: OpenvSwitch) can do this. The following description will work on Debian based systems:

  1. First you should install the bridge-utils package.
  2. Set the selected port down with ifdown
  3. Create a bridge on the port you want to list the MAC addresses

Let's assume the port is eth0, and the IP address is dynamic. In /etc/network/interfaces the following should appear

allow-hotplug eth0
iface eth0 inet manual

auto br0
iface br0 inet dhcp
  bridge-ports eth0
  bridge_fd 0
  bridge_stp off

To apply these changes, you can either use ifup on eth0 and then on br0, or simply restart.

  1. Now you can use brctl to query the port

It will list the full MAC table:

root@debian:~# brctl showmacs br0

The output should look something like this:

port no mac addr                is local?       ageing timer
  1     ab:cd:ef:01:02:03       no                 1.72
  1     ab:cd:ef:01:02:04       no                25.52
  1     ab:cd:ef:01:02:05       no                 2.64
  1     ab:cd:ef:01:02:06       no                10.67
  1     ab:cd:ef:01:02:07       yes                0.00
Zoltan Szeder
  • 98
  • 1
  • 9