2

This is a equivalent question asked here for OSX. What is the easiest way to find out a NetBIOS name of a WIndows PC in my LAN by MAC address and vice versa?

It can be done by IP with: 

nmblookup -A a.b.c.d
nmblookup pc_netbios_name

Is there a similar command for MAC address?

Community
  • 1
Hrvoje T
  • 1,011
  • 3
  • 16
  • 26
  • 1
    Do you mean IP address or MAC? They are different things and you've used one in your title and one in the body of your question. You can [edit] your question to fix one of them. – roaima Oct 29 '15 at 07:34
  • 1
    This question is **on topic** for U&L. `nmblookup` is part of the `samba` package. – garethTheRed Oct 29 '15 at 08:00
  • Did you ever find a solution for this? on re-reading your question, one obvious thing to try (that requires sysadmin or network admin access on the servers and/or router) is to use firewall rules to block access from the offending MAC address to either the DHCP server, any important servers (e.g. Samba server or web proxy) or to the internet (at your router/firewall). If any of these are linux machines, you can use the `ebtables` command on them to block packets from specific source MAC addresses....then see who comes squawking, and tell them off for using an IP address assigned to you. – cas Apr 26 '16 at 07:47
  • another obvious thing: if the IPs are assigned by DHCP based on MAC address, is to see if the DHCP server is misconfigured and assigning the same IP to two different MAC addresses. If so, fix it. I hesitate to say it because it's giving up but you could also reconfigure the DHCP server to give your MAC a different IP address. – cas Apr 26 '16 at 07:51
  • @cas yes I found a solution. I turned off the known PC and then found the problematic via arp. It was some old manageable switch which one of the employees turn on in his office. It had a static IP. – Hrvoje T Oct 04 '16 at 09:22

3 Answers3

3

You can find out the MAC address of a recently contacted device by its IP address using the arp table:

ping -c1 -w1 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
64 bytes from 10.0.2.2: icmp_seq=1 ttl=63 time=0.785 ms

--- 10.0.2.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.785/0.785/0.785/0.000 ms

arp -n 10.0.2.2
Address                  HWtype  HWaddress           Flags Mask            Iface
10.0.2.2                 ether   52:54:00:12:35:02   C                     eth0

You could merge this into a little function:

iptoarp() {
    local ip="$1"
    ping -c1 -w1 "$ip" >/dev/null
    arp -n "$ip" | awk '$1==ip {print $3}' ip="$ip"
}

iptoarp 10.10.0.2    # --> 52:54:00:12:35:02

I know of no easy way to get an IP address or NetBIOS name from a MAC address. Either run arpwatch and scan the log file for chat from that device, or ping each IP address on your LAN in turn and look for the arp response.

roaima
  • 107,089
  • 14
  • 139
  • 261
  • My PC didn't chat with that device. I found out via wireshark that two of my LAN PCs have the same IP address (duplicate). I know MAC addresses of both and only NetBIOS name of one. This is why I need a NetBIOS name of the other PC by MAC. Now when I ping that IP, I can see it is only the first PC answering. I can see that doing apr command. – Hrvoje T Oct 29 '15 at 07:52
  • 1
    As far as I'm aware, modern Windows (this millennium?) use NetBIOS over TCP/IP exclusively. Therefore any process to extract the NetBIOS name from a MAC address would need the involvement of an IP address. As you have an IP address conflict, then you wouldn't know which one is responding. How about switching off the 'known' PC then trying again without an IP address conflict? – garethTheRed Oct 29 '15 at 08:20
  • Yes I will have to do that. Turn off the 'known', ping the unknown, find out its MAC address by `arp` table and do nmblookup to find out NetBIOS name. – Hrvoje T Oct 29 '15 at 14:12
  • @roaima Thanks for the function. Is it possible to make one for NetBIOS names from IP? – Hrvoje T Oct 30 '15 at 12:17
1

You could use tcpdump or wireshark to monitor network traffic to and from that MAC address.

I tend to use tcpdump to do the packet logging and (if i need something a bit nicer than just reading the tcpdump output) i save the packets to a file and load them into the GUI version of wireshark for analysis.

For example:

MAC='01:02:03:04:05:06'
tcpdump -l -n -i br0 "ether src $MAC or ether dst $MAC"

You can tweak the filter rule given to tcpdump to exclude stuff you're not interested in (e.g. port 80 or 443) and/or include stuff you are interested in (e.g. tcp and udp ports 137-139). Don't exclude too much, though, because you never know what kinds of packets will give you the identifying info you are after.

To write the packet log to a file for analysis with wireshark, use tcpdump's -w filename option AND its -s snaplen option (with snaplen of zero to capture full packets)

tcpdump -l -n -i br0 -w macdump.log -s 0 "ether src $MAC or ether dst $MAC"

Leave it running long enough to get a good sample - which might take hours if the target machine is switched off or inactive.

cas
  • 1
  • 7
  • 119
  • 185
  • If I want to use it on wifi interface does it goes `tcpdump -l -n -i wlo1 -w macdump.log -s 0 "ether src $MAC or ether dst $MAC"`? What does ether do? How do I open that log file? I can't read it with gedit. – Hrvoje T Oct 30 '15 at 23:30
  • the log format is specific to tcpdump. it's a dump of captured packets. it can only be read by tools like `tcpdump -r` and `wireshark` etc. – cas Oct 31 '15 at 00:20
  • 1
    the `-i` option tells tcpdump to listen on a particular interface. so if `wlo1` is your wifi interface, it will listen on wifi. `ether` is part of the packet filter language, it tells it to ignore packets not to or from that MAC address. – cas Oct 31 '15 at 00:21
0

arp -n | grep -i YOUR:MAC:HERE | awk '{print $1}' | nslookup

I'm fairly certain you need to be running a namesever on your local network for this to work.

user235504
  • 140
  • 3