I haven’t done a technical article in a long time, and this one is fresh in my memory, so I took the opportunity to blog it.
First of all, if networking isn’t your thing, this may bore you. And by “networking,” I mean connecting computers with cables and having them talk to each other and to servers and internet sites and all that. I don’t mean going to the local Starbucks and getting to know a neighbor. However, if you went up to a stranger at Starbacks and said “hey, I’ve been meaning to interface my hard disk with your mainframe,” you might get a virus, so be sure bring your Trojans.
The gist of this article is how to track down a MAC address. An example might be: you’re an IT administrator, in charge of a large network in a medium-sized building, say 100 or more folks. Some kind of activity is coming from one of the systems somewhere, but all you know is an IP address. You want to physically hunt down where that IP address is, as in what port of what switch it’s plugged into. If you use DHCP to automatically assign IP addresses to your users (which the vast majority of people do in larger networks), you won’t necessarily know the physical location of, say, 192.168.245.33. In this example, all you know is the IP address, and there’s no DNS entry for it to tell you the name.
Let me start with some basics (continued in the extended entry, below).
In the IP world, which is what the Internet runs on (in fact, the “I” of IP is Internet, the “P” is Protocol), each device gets a special address. It’s supposed to be unique in their view of the world. In general, the IP address is mostly arbitrary, but there are some rules as to which ranges of addresses you should use for public vs private use. There’s no real law; people like Internet Service Providers and Three Initial Corporations “agree” to adhere to these rules. The 192.168.x.x range is one of these pre-established ranges, and if you have an internet connection at home with a network sharing device like a Linksys or Netgear, your PC will probably get an IP in that range. Those are called “private ranges” because your 192.168.1.100 is different than your neighbor’s 192.168.1.100 address. However, www.yahoo.com’s IP address is specific and unique, because everyone in the world needs to get to their specific server, so you can’t use their IP address.
IP Addresses are how computers talk to each other, regardless of distance or scope. For example, a 18.104.22.168 address might be across town, or it might be across the world. The “protocol” part of IP dictates how information, put into packets, can get from your IP address to another, anywhere in the world.
However, on a local level, in the world of switches and hubs, another address becomes important. This is called the MAC address. MAC stands for Media Access Control but the name itself is unimportant. The point is that it’s a globally unique identifer for a specific network device, but is non-routable. Where IP addresses imply the ability to get from one to another (say, getting from your PC to yahoo.com), MAC addresses are just unique identifers with no routing ability inherent in the scheme. The MAC address is a 32-bit string of hexadecimal numbers and letters that looks like gobble-de-gook. What’s more annoying is that you can write a MAC address in many different ways.
Example MAC address, in 4 different forms
This MAC address is how your PC talks to it’s immediate physical neighbors, such as a printer, or a router, or another PC. The IP address isn’t enough for your PC to talk to the printer – your PC needs to know the MAC address of the printer to talk on the lower layer.
By the way, when you talk about MAC addresses, you’re talking about Layer 2 of the OSI model. IP Addresses are Layer 3. Any of these terms sound familiar?
Now, when your PC, say, at 192.168.1.100 needs to talk to your Linksys router, which is at 192.168.1.1, it has to know the linksys’ MAC address. It finds this out by doing an ARP (address resolution protocol). It broadcasts out on the little network cable in a manner similar to the following. Note: this is a broadcast, so it’s in upper caps. It’s like the guy is shouting to everyone, because everyone on the wire has to stop and listen):
“HEY EVERYONE! LISTEN UP. THIS IS ME, MR PC AT 192.168.1.100, MAC ADDRESS 00-18-8B-A4-BA-D0! YO TO THE EAST SIDE! ANYBODY OUT THERE KNOW WHERE THE HELL 192.168.1.1 IS? COME ON, ANYBODY?“
If 192.168.1.1 is listening, then it replies to the ARP by saying something like
“‘SUP YO! I GOTS YO INFO, 00-18-8B-A4-BA-D0, IFNYOUKNOWWHATIMEAN. DAT’S ME, AT 00-12-3F-A4-1A-C6. SLAP MA FRO!“
So now MR PC knows the MAC address and can talk directly to the linksys at Layer 2.
This is all well and good when you’re talking about two or three devices on a local area network. But when you have hundreds of devices, it gets a little more difficult to find out what cable where goes to the device with a specific address.
This is where the CAM table comes in, or ARP table. CAM stands for Content-Addressible Memory. This is a fancy way of saying that a switch in the comm room is constantly listening to all these yelling matches going on, and writes down in a special list all the MAC addresses it hears. It also writes down where it heard it. For example, port 4/2 on some Cisco switch might hear the shouting and know that 00-12-3F-A4-1A-C6 is on that port. This list is sometimes called the ARP Cache, the ARP Table, or the CAM Table. Maybe the Dynamic MAC table. It doesn’t matter what it’s called – what matters is that it’s a big list of MAC addresses seen recently by the switch. And by recently, I mean usually 30 seconds.
The trick of finding a specific MAC address in a large array of different vendor switches is knowing the commands required to find the port that has that MAC address.
Unfortunately, when you have all these switches put together, they may talk to each other as to knowing that a MAC address is on the switch, but they don’t all share what port the MAC address was seen. So you actually have to find the specific switch. This is where it can get daunting.
Oh, and to top it off, each vendor has a different command for finding the port a MAC address was last seen.
sh cam <mac address>
sh mac <mac address>
- Dell PowerConnect
show bridge address-table address <mac address>
Here’s an example of me finding a specific MAC address, inside a cluster of various network devices made up of Cisco, Foundry and PowerConnect, via the command line.
I start with a Cisco 6509 switch, our main switch:
Note: bolded entries are the commands I typed; highlighted entries are what I’m looking for in the output
sw-cisco> (enable) sh cam 00:b0:d0:63:c2:26
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security EntryVLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
—- —————— —– —————————————-
104 00-b0-d0-63-c2-26 2/7 [ALL]
This is telling me that as far as this switch knows, this mac address was last seen on port 2/7. I check that port, and it’s a trunk to another one of my switches, a Foundry. So I telnet over to that switch and continue the chase, in Foundry-speak.
telnet@sw-foundry#sh mac 00b0.d063.c226
Total active entries from all ports = 323
Type D:Dynamic S:Static L:Lock Address M:Secure Mac
MAC Address Port Age Type DMA Valid Flags VLAN DMA:CAM Index …
00b0.d063.c226 1/6 0 D 00000000-00000003 104 0:32786 1:32843
Hmm. Now it’s telling me that it knows about this mac address through port 1/6, which is another trunk to yet another switch, this time a Dell PowerConnect. Off I go, into the wild blue yonder…
sw-dell# show bridge address-table address 00b0.d063.c226
Aging time is 300 sec Vlan Mac Address Port Type
——– ——————— —— ———-
104 00:b0:d0:63:c2:26 e41 dynamic Aha! Now I’ve found a port that’s not another trunk. This port (e41) should be where the system is.
Ugh, Dell surely didn’t make it easy to figure out how to get a MAC address. Most networking vendors seem to copy Cisco’s command set, at least a little, but this is ridiculous.
We trace down that cable and sure enough, it is the system with that specific IP address. System found!