Show
This article explains how to find a MAC address with an IP address using the command line utility ARP. It also covers additional information about checking your router's connection data for an IP address. In Windows, Linux, and other operating systems, the command line utility ARP (Address Resolution Protocol) shows local MAC address information stored in the ARP cache. However, it only works within the small group of computers on a local area network (LAN), not across the internet. ARP is intended to be used by system administrators, and it is not typically a useful way to track down computers and people on the internet. TCP/IP computer networks use both the IP addresses and MAC addresses of connected client devices. While the IP address changes over time, the MAC address of a network adapter always stays the same. Using ARP, each local network interface tracks both the IP address and MAC address for each device it has recently communicated with. Most computers let you see this list of addresses that ARP has collected. Here is one example of how to find a MAC address using an IP address.
To find the MAC address of the device connected to your router—assuming you can access the router's administrative control panel—log in and check for connected devices. Each active device, as well as recently connected devices, should list the local IP address as well as the MAC address.
There's another method used to find and change the MAC address of the computer you're currently using, which involves using the ipconfig /all command in Windows. A single device can possess multiple network interfaces and MAC addresses. A laptop computer with Ethernet, Wi-Fi, and Bluetooth connections, for example, has two or sometimes three MAC addresses associated with it, one for each physical network device. Reasons to track down the MAC address of a network device include:
It isn't usually possible to look up MAC addresses for devices outside a person's physical reach. It is often impossible to determine a computer's MAC address from its IP address alone because these two addresses originate from different sources. A computer's hardware configuration determines its MAC address, while the network configuration it is connected to determines its IP address.
Thanks for letting us know!
Tell us why!
81.2k views
Address Resolution Protocol (ARP) is a protocol that enables network communications to reach a specific device on the network. ARP translates Internet Protocol (IP) addresses to a Media Access Control (MAC) address, and vice versa. Most commonly, devices use ARP to contact the router or gateway that enables them to connect to the Internet. Hosts maintain an ARP cache, a mapping table between IP addresses and MAC addresses, and use it to connect to destinations on the network. If the host doesn’t know the MAC address for a certain IP address, it sends out an ARP request packet, asking other machines on the network for the matching MAC address. The ARP protocol was not designed for security, so it does not verify that a response to an ARP request really comes from an authorized party. It also lets hosts accept ARP responses even if they never sent out a request. This is a weak point in the ARP protocol, which opens the door to ARP spoofing attacks. ARP only works with 32-bit IP addresses in the older IPv4 standard. The newer IPv6 protocol uses a different protocol, Neighbor Discovery Protocol (NDP), which is secure and uses cryptographic keys to verify host identities. However, since most of the Internet still uses the older IPv4 protocol, ARP remains in wide use. What is ARP Spoofing (ARP Poisoning)An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows attackers to intercept communication between network devices. The attack works as follows:
Once the attacker succeeds in an ARP spoofing attack, they can:
How to Detect an ARP Cache Poisoning AttackHere is a simple way to detect that a specific device’s ARP cache has been poisoned, using the command line. Start an operating system shell as an administrator. Use the following command to display the ARP table, on both Windows and Linux: arp -aThe output will look something like this: Internet Address Physical Address 192.168.5.1 00-14-22-01-23-45 192.168.5.201 40-d4-48-cr-55-b8 192.168.5.202 00-14-22-01-23-45If the table contains two different IP addresses that have the same MAC address, this indicates an ARP attack is taking place. Because the IP address 192.168.5.1 can be recognized as the router, the attacker’s IP is probably 192.168.5.202. To discover ARP spoofing in a large network and get more information about the type of communication the attacker is carrying out, you can use the open source Wireshark protocol. ARP Spoofing PreventionHere are a few best practices that can help you prevent ARP Spoofing on your network:
|