is there a command/method for searching for a single enemy Mac address to reveal its IP like arp -a but searching by Mac address?

[careyjames]

is there a command/method for searching for a single enemy Mac address to reveal its IP like arp -a but searching by Mac address?

maybe in Nmap?

had a crappy tp link switch that was broadcasting DHCP as a false gateway at the same IP as the real gateway and it did not show up in arp -a scans, it did show up in the mac-address-table of the switches (really nice dymec switches).

we had to do a manual human search of the entire facility to locate that little *******, so i guess I want to know if there was a better way to reveal more info.

also if i did know the mac address of something and wanted to know its ip address without looking through the entire arp -a result is there a command to filter results to the single mac address? man arp was not too helpful..

[Irukandji]

Hold up.. What exactly are you planning to do?

[digininja]

Look at grep for filtering output.

[careyjames]

ah! thank you! I googled sooo long grrrr! 

 

arp -a | grep "70:4F:57:7A:A0:98"

[careyjames]

10 minutes ago, kdodge said:

this is maybe not exactly what you are looking for, but the "arping" took is also very handy to interact with the ARP level

well true because even though I did need this command, in that network it would not have helped nor shown results, its funny that the enemy Mac address only showed up in the switches Mac tables and not in the cradle point E3000...

[digininja]

ARP packets traverse layer two switches, these are the most common type, but not layer three switches or routers.

The easy way to think of it is a router is where your network address changes so it does its work by IP address whereas switches work on the same subnet and so work by ARP first.

That isn't really the best way to describe it, but should give you the idea.