Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: How to find MAC address
From: Andreas Ericsson <ae () op5 se>
Date: Fri, 31 Mar 2006 12:59:17 +0200

Martin O'Neal wrote:
There isn't an nmap option to gather a MAC remotely, but your original
response said:

There is none. As soon as a packet passes a 
router the only MAC you're gonna see is the 
one of the router. ARP-packets simply cannot 
be routed.

Which is misleading; ARP isn't the only mechanism.  There are ways of
gathering the MAC from higher level protocols, and not just proprietary
extensions either;  MS NetBIOS name service, SNMP, blah blah blah...

For nmap, ARP *is* the only mechanism. The question was "why doesn't 
nmap detect the MAC of this and that host on a different network?" and 
the answers given are totally correct. How is that misleading? Other 
tools can (try to) determine MAC addresses through other means, but nmap 

FYI, MS NetBIOS is broadcast which also only works on local subnets, 
possibly with the exception that someone may actually be daft enough to 
put a windows box as router (the horror!). Never having tried this, I'm 
not sure if it would report hosts on both networks as beeing in the 

SNMP is not really an option (not necessarily running everywhere, info 
can be spoofed, etc. etc. - same problem as with all other solutions 
based on anything but ARP) and I doubt Fyodor will accept a patch to 
support it. nmap being opensource, you're ofcourse free to write one and 
submit it for inclusion.

Andreas Ericsson                   andreas.ericsson () op5 se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]