About the author.

Welcome to The blog of whall

Come on in and stay a while… laugh a little. Maybe even think. Read more...

Hi, This is Wayne. This is my site, my stuff, my blog, blahblahblah. The site itself is powered by WordPress and the Scary Little theme. I thought it was cool, and I still do.

7:18 am
Post Meta :

I haven’t done a technical article in a long time, and this one is fresh in my memory, so I took the opportunity to blog it.

First of all, if networking isn’t your thing, this may bore you.  And by “networking,” I mean connecting computers with cables and having them talk to each other and to servers and internet sites and all that.  I don’t mean going to the local Starbucks and getting to know a neighbor.  However, if you went up to a stranger at Starbacks and said “hey, I’ve been meaning to interface my hard disk with your mainframe,”  you might get a virus, so be sure bring your Trojans.

The gist of this article is how to track down a MAC address.  An example might be: you’re an IT administrator, in charge of a large network in a medium-sized building, say 100 or more folks.  Some kind of activity is coming from one of the systems somewhere, but all you know is an IP address.  You want to physically hunt down where that IP address is, as in what port of what switch it’s plugged into.  If you use DHCP to automatically assign IP addresses to your users (which the vast majority of people do in larger networks), you won’t necessarily know the physical location of, say,  In this example, all you know is the IP address, and there’s no DNS entry for it to tell you the name.

Let me start with some basics (continued in the extended entry, below).

In the IP world, which is what the Internet runs on (in fact, the “I” of IP is Internet, the “P” is Protocol), each device gets a special address.  It’s supposed to be unique in their view of the world.  In general, the IP address is mostly arbitrary, but there are some rules as to which ranges of addresses you should use for public vs private use.  There’s no real law; people like Internet Service Providers and Three Initial Corporations “agree” to adhere to these rules.  The 192.168.x.x range is one of these pre-established ranges, and if you have an internet connection at home with a network sharing device like a Linksys or Netgear, your PC will probably get an IP in that range.  Those are called “private ranges” because your is different than your neighbor’s address.  However, www.yahoo.com’s IP address is specific and unique, because everyone in the world needs to get to their specific server, so you can’t use their IP address.

IP Addresses are how computers talk to each other, regardless of distance or scope.  For example, a address might be across town, or it might be across the world.  The “protocol” part of IP dictates how information, put into packets, can get from your IP address to another, anywhere in the world. 

Example addresses:


However, on a local level, in the world of switches and hubs, another address becomes important.  This is called the MAC address.  MAC stands for Media Access Control but the name itself is unimportant.  The point is that it’s a globally unique identifer for a specific network device, but is non-routable.  Where IP addresses imply the ability to get from one to another (say, getting from your PC to yahoo.com), MAC addresses are just unique identifers with no routing ability inherent in the scheme.  The MAC address is a 32-bit string of hexadecimal numbers and letters that looks like gobble-de-gook.  What’s more annoying is that you can write a MAC address in many different ways.

Example MAC address, in 4 different forms


This MAC address is how your PC talks to it’s immediate physical neighbors, such as a printer, or a router, or another PC.  The IP address isn’t enough for  your PC to talk to the printer – your PC needs to know the MAC address of the printer to talk on the lower layer.

By the way, when you talk about MAC addresses, you’re talking about Layer 2 of the OSI model.  IP Addresses are Layer 3.  Any of these terms sound familiar?

Now, when your PC, say, at needs to talk to your Linksys router, which is at, it has to know the linksys’ MAC address.  It finds this out by doing an ARP (address resolution protocol).  It broadcasts out on the little network cable in a manner similar to the following.  Note: this is a broadcast, so it’s in upper caps.  It’s like the guy is shouting to everyone, because everyone on the wire has to stop and listen):


If is listening, then it replies to the ARP by saying something like


So now MR PC knows the MAC address and can talk directly to the linksys at Layer 2.

This is all well and good when you’re talking about two or three devices on a local area network.  But when you have hundreds of devices, it gets a little more difficult to find out what cable where goes to the device with a specific address.

This is where the CAM table comes in, or ARP table.  CAM stands for Content-Addressible Memory.  This is a fancy way of saying that a switch in the comm room is constantly listening to all these yelling matches going on, and writes down in a special list all the MAC addresses it hears.  It also writes down where it heard it.  For example, port 4/2 on some Cisco switch might hear the shouting and know that 00-12-3F-A4-1A-C6 is on that port.  This list is sometimes called the ARP Cache, the ARP Table, or the CAM Table.  Maybe the Dynamic MAC table.  It doesn’t matter what it’s called – what matters is that it’s a big list of MAC addresses seen recently by the switch.  And by recently, I mean usually 30 seconds.

The trick of finding a specific MAC address in a large array of different vendor switches is knowing the commands required to find the port that has that MAC address.

Unfortunately, when you have all these switches put together, they may talk to each other as to knowing that a MAC address is on the switch, but they don’t all share what port the MAC address was seen.  So you actually have to find the specific switch.  This is where it can get daunting.

Oh, and to top it off, each vendor has a different command for finding the port a MAC address was last seen.

  • Cisco
    sh cam <mac address>
  • Foundry
    sh mac <mac address>
  • Dell PowerConnect
    show bridge address-table address <mac address>

Here’s an example of me finding a specific MAC address, inside a cluster of various network devices made up of Cisco, Foundry and PowerConnect, via the command line.

I start with a Cisco 6509 switch, our main switch:

Note: bolded entries are the commands I typed; highlighted entries are what I’m looking for in the output

sw-cisco> (enable) sh cam 00:b0:d0:63:c2:26
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry
VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
—-  ——————    —–  —————————————-
104   00-b0-d0-63-c2-26             2/7 [ALL]

This is telling me that as far as this switch knows, this mac address was last seen on port 2/7.  I check that port, and it’s a trunk to another one of my switches, a Foundry.  So I telnet over to that switch and continue the chase, in Foundry-speak.

telnet@sw-foundry#sh mac 00b0.d063.c226
Total active entries from all ports = 323
Type D:Dynamic  S:Static  L:Lock Address  M:Secure Mac
MAC Address     Port  Age Type DMA Valid Flags    VLAN DMA:CAM Index …
00b0.d063.c226   1/6    0    D 00000000-00000003   104   0:32786  1:32843

Hmm.  Now it’s telling me that it knows about this mac address through port 1/6, which is another trunk to yet another switch, this time a Dell PowerConnect.  Off I go, into the wild blue yonder…

sw-dell# show bridge address-table address 00b0.d063.c226
Aging time is 300 sec
  Vlan        Mac Address       Port     Type
——– ——————— —— ———-
  104      00:b0:d0:63:c2:26    e41    dynamic
Aha!  Now I’ve found a port that’s not another trunk.  This port (e41) should be where the system is.

Ugh, Dell surely didn’t make it easy to figure out how to get a MAC address.  Most networking vendors seem to copy Cisco’s command set, at least a little, but this is ridiculous. 

We trace down that cable and sure enough, it is the system with that specific IP address.  System found!

tsk tsk

Ajax CommentLuv Enabled 336ad6ab990e8080f1c0ad1f892428a0