Get an MAC address of a LAN PC - OpenBSD

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Get an MAC address of a LAN PC - OpenBSD

Indunil Jayasooriya
Hi Misc,


I do want to get an MAC address of a LAN PC that is 192.168.1.x

This PC is behind OpenBSD pf box.

this below command only shows IPs.

tcpdump -n -e -ttt -r /var/log/pflog


How can I get it from this OpenBSD Pf box?









--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Raul Miller
http://man.openbsd.org/arp.8?

--
Raul


On Fri, Jun 23, 2017 at 12:01 AM, Indunil Jayasooriya
<[hidden email]> wrote:

> Hi Misc,
>
>
> I do want to get an MAC address of a LAN PC that is 192.168.1.x
>
> This PC is behind OpenBSD pf box.
>
> this below command only shows IPs.
>
> tcpdump -n -e -ttt -r /var/log/pflog
>
>
> How can I get it from this OpenBSD Pf box?
>
>
>
>
>
>
>
>
>
> --
> cat /etc/motd
>
> Thank you
> Indunil Jayasooriya
> http://www.theravadanet.net/

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Indunil Jayasooriya
arp -a gives all.

thanks a LOT.

it gives current list.


Is there any way to get an MAC address of a PC that was connected to
OpenBSD PF box but now it is NOT connect to.

This PC was removed from the network recently for auditing purpose.

Can arp give old stuffs? Does it have a caching database somewhere in
OpenBSD or do you know any other software that can fulfill my need.

Sir, Hope to hear from you.




On Fri, Jun 23, 2017 at 9:55 AM, Raul Miller <[hidden email]> wrote:

> http://man.openbsd.org/arp.8?
>
> --
> Raul
>
>
> On Fri, Jun 23, 2017 at 12:01 AM, Indunil Jayasooriya
> <[hidden email]> wrote:
> > Hi Misc,
> >
> >
> > I do want to get an MAC address of a LAN PC that is 192.168.1.x
> >
> > This PC is behind OpenBSD pf box.
> >
> > this below command only shows IPs.
> >
> > tcpdump -n -e -ttt -r /var/log/pflog
> >
> >
> > How can I get it from this OpenBSD Pf box?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > cat /etc/motd
> >
> > Thank you
> > Indunil Jayasooriya
> > http://www.theravadanet.net/
>



--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Raul Miller
arp caches, of course, because ip packets are only exchanged intermittently.

Whether it caches long enough for you is a different question.

Thanks,

--
Raul


On Fri, Jun 23, 2017 at 1:03 AM, Indunil Jayasooriya
<[hidden email]> wrote:

>
> arp -a gives all.
>
> thanks a LOT.
>
> it gives current list.
>
>
> Is there any way to get an MAC address of a PC that was connected to OpenBSD
> PF box but now it is NOT connect to.
>
> This PC was removed from the network recently for auditing purpose.
>
> Can arp give old stuffs? Does it have a caching database somewhere in
> OpenBSD or do you know any other software that can fulfill my need.
>
> Sir, Hope to hear from you.
>
>
>
>
> On Fri, Jun 23, 2017 at 9:55 AM, Raul Miller <[hidden email]> wrote:
>>
>> http://man.openbsd.org/arp.8?
>>
>> --
>> Raul
>>
>>
>> On Fri, Jun 23, 2017 at 12:01 AM, Indunil Jayasooriya
>> <[hidden email]> wrote:
>> > Hi Misc,
>> >
>> >
>> > I do want to get an MAC address of a LAN PC that is 192.168.1.x
>> >
>> > This PC is behind OpenBSD pf box.
>> >
>> > this below command only shows IPs.
>> >
>> > tcpdump -n -e -ttt -r /var/log/pflog
>> >
>> >
>> > How can I get it from this OpenBSD Pf box?
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > --
>> > cat /etc/motd
>> >
>> > Thank you
>> > Indunil Jayasooriya
>> > http://www.theravadanet.net/
>
>
>
>
> --
> cat /etc/motd
>
> Thank you
> Indunil Jayasooriya
> http://www.theravadanet.net/
>

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Indunil Jayasooriya
Hi Raul,

I am very glad your effort to support me since I DO NEED  to get an MAC of
an OLD PC.

This PC was removed from the network last week.

unfortunately "arp -a" does NOT give the MAC of that PC.

I am running darkstat as well. It also does NOT give it either. I think
This pf box has been rebooted after removing that PC.

no idea what to do?





On Fri, Jun 23, 2017 at 10:40 AM, Raul Miller <[hidden email]> wrote:

> arp caches, of course, because ip packets are only exchanged
> intermittently.
>
> Whether it caches long enough for you is a different question.
>
> Thanks,
>
> --
> Raul
>
>
> On Fri, Jun 23, 2017 at 1:03 AM, Indunil Jayasooriya
> <[hidden email]> wrote:
> >
> > arp -a gives all.
> >
> > thanks a LOT.
> >
> > it gives current list.
> >
> >
> > Is there any way to get an MAC address of a PC that was connected to
> OpenBSD
> > PF box but now it is NOT connect to.
> >
> > This PC was removed from the network recently for auditing purpose.
> >
> > Can arp give old stuffs? Does it have a caching database somewhere in
> > OpenBSD or do you know any other software that can fulfill my need.
> >
> > Sir, Hope to hear from you.
> >
> >
> >
> >
> > On Fri, Jun 23, 2017 at 9:55 AM, Raul Miller <[hidden email]>
> wrote:
> >>
> >> http://man.openbsd.org/arp.8?
> >>
> >> --
> >> Raul
> >>
> >>
> >> On Fri, Jun 23, 2017 at 12:01 AM, Indunil Jayasooriya
> >> <[hidden email]> wrote:
> >> > Hi Misc,
> >> >
> >> >
> >> > I do want to get an MAC address of a LAN PC that is 192.168.1.x
> >> >
> >> > This PC is behind OpenBSD pf box.
> >> >
> >> > this below command only shows IPs.
> >> >
> >> > tcpdump -n -e -ttt -r /var/log/pflog
> >> >
> >> >
> >> > How can I get it from this OpenBSD Pf box?
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > cat /etc/motd
> >> >
> >> > Thank you
> >> > Indunil Jayasooriya
> >> > http://www.theravadanet.net/
> >
> >
> >
> >
> > --
> > cat /etc/motd
> >
> > Thank you
> > Indunil Jayasooriya
> > http://www.theravadanet.net/
> >
>



--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Theo de Raadt-2
> Hi Raul,
>
> I am very glad your effort to support me since I DO NEED  to get an MAC of
> an OLD PC.
>
> This PC was removed from the network last week.
>
> unfortunately "arp -a" does NOT give the MAC of that PC.
>
> I am running darkstat as well. It also does NOT give it either. I think
> This pf box has been rebooted after removing that PC.
>
> no idea what to do?

Plug it back in.  Power it up.  Make sure it has a reachable IP.  Ping
it.

If you don't understand how computers and networking work, I'm sure
you can find another job.

Not everyone is suited to every role.  For example, I'm not very good
at explaining simple concepts to people who don't get it.

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Indunil Jayasooriya
>
> > no idea what to do?
>
> Plug it back in.  Power it up.  Make sure it has a reachable IP.  Ping
> it.
>

    very sorry. It is prohibited to plug it back in and power it up.

To do it, We might need a special request.

Theo, Anyway, thanks for you support.




--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Theo de Raadt-2
> > > no idea what to do?
> >
> > Plug it back in.  Power it up.  Make sure it has a reachable IP.  Ping
> > it.
> >
>
>     very sorry. It is prohibited to plug it back in and power it up.
>
> To do it, We might need a special request.
>
> Theo, Anyway, thanks for you support.

Another solution is to smash that device with a hammer.  Repeatedly.
Don't stop before you are sure it is destroyed.

Then it has no MAC address.

Later, if you search the world, you won't find it's MAC address.

Eventually through exhaustive search you might be able to make a good
guess as to what the MAC address was.

Did that help?

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Theo de Raadt-2
> Another solution is to smash that device with a hammer.  Repeatedly.
> Don't stop before you are sure it is destroyed.
>
> Then it has no MAC address.
>
> Later, if you search the world, you won't find it's MAC address.
>
> Eventually through exhaustive search you might be able to make a good
> guess as to what the MAC address was.
>
> Did that help?

Some of you will think this is a total joke.

This has previously used to assure global unique MAC.

I suspect Indunil has the same problem.  Or, he's begging for
help to do something kind of extra-judicial...

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Indunil Jayasooriya
>
>
> Some of you will think this is a total joke.
>
>    I do NOT think  in that way at all.


> This has previously used to assure global unique MAC.
>
> I suspect Indunil has the same problem.  Or, he's begging for
> help to do something kind of extra-judicial...
>

 Theo, You are  a computer prodigy. (but I am NOT) That's why you founded
OpenBSD (My favorite OS). that's why I use OpenBSD.  Sir, Thanks a lot for
it.

If the user of that PC spoofed the MAC address, What does arp  -a show in
OpenBSD ?

I think  arp -a shows spoofed MAC address.

Am I right? Pls correct me if I am wrong.

If we reboot or format that PC , again it will show the real MAC.

Sir, hope to hear from you.







--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Theo de Raadt-2
> If the user of that PC spoofed the MAC address, What does arp  -a show in
> OpenBSD ?

It shows in:du:ni:l0:00:01

Every time.

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Florian Ermisch-2
In reply to this post by Indunil Jayasooriya
Some systems list their onboard
NIC's MAC in the BIOS. A few ones
may even have it printed on the
board or a sticker with the MAC
somewhere close to the NIC's port.
Or get a permit to unplug its disk(s)
before booting an OpenBSD CD,
then drop to a shell and run ifconfig.

If the MAC was spoofed but the
system was connected to a managed
switch the switch may still have the
MAC from when it powered on cached.
If your worried about spoofed MACs
you may also want to look into the
feature called port security (at least
on Juniper and Cisco devices) on your
access switches.
Which causes interesting problems with
VMs bridged to the hosts NIC, btw ; )

Regards, Florian

Am 23. Juni 2017 07:40:42 MESZ schrieb Indunil Jayasooriya <[hidden email]>:

>>
>> > no idea what to do?
>>
>> Plug it back in.  Power it up.  
>> Make sure it has a reachable IP.
>> Ping it.
>>
>
>    very sorry. It is prohibited to plug it back in and power it up.
>
>To do it, We might need a special request.
>
>Theo, Anyway, thanks for you support.

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Mihai Popescu-3
In reply to this post by Indunil Jayasooriya
> Some systems list their onboard NIC's MAC in the BIOS.

Hey, it looks like Dr. House is in the good mood. Don't ruin it! I
already had a good laugh.

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Stuart Henderson
In reply to this post by Indunil Jayasooriya
On 2017-06-23, Indunil Jayasooriya <[hidden email]> wrote:
> Is there any way to get an MAC address of a PC that was connected to
> OpenBSD PF box but now it is NOT connect to.

If the PF box was serving DHCP and the PC fetched its address that way,
it will likely still be in the lease database, /var/db/dhcpd.leases.

If this is something which might come up again in the future, you can
run arpwatch (in ports), but it's no time machine.


Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Gareth Nelson
In reply to this post by Indunil Jayasooriya
Open up the box physically, look for a label on the ethernet card

---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.” -
Printcrime by Cory Doctrow

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

On Fri, Jun 23, 2017 at 6:40 AM, Indunil Jayasooriya <[hidden email]>
wrote:

> >
> > > no idea what to do?
> >
> > Plug it back in.  Power it up.  Make sure it has a reachable IP.  Ping
> > it.
> >
>
>     very sorry. It is prohibited to plug it back in and power it up.
>
> To do it, We might need a special request.
>
> Theo, Anyway, thanks for you support.
>
>
>
>
> --
> cat /etc/motd
>
> Thank you
> Indunil Jayasooriya
> http://www.theravadanet.net/
>
Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Josh Grosse-3
In reply to this post by Indunil Jayasooriya
On Fri, Jun 23, 2017 at 11:10:42AM +0530, Indunil Jayasooriya wrote:

> >
> > > no idea what to do?
> >
> > Plug it back in.  Power it up.  Make sure it has a reachable IP.  Ping
> > it.
> >
>
>     very sorry. It is prohibited to plug it back in and power it up.
>
> To do it, We might need a special request.

Plug the Evil Compuer in to an isolated Ethernet network.  Perhaps a
network that consists of only two computers:  The Evil Computer, and a
second, Hero Computer that will test the Evil Computer to discover its
Evil MAC Address.

https://en.wikipedia.org/wiki/Air_gap_(networking)

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Philipp Buehler
In reply to this post by Indunil Jayasooriya
Am 23.06.2017 07:19 schrieb Indunil Jayasooriya:

> I am running darkstat as well. It also does NOT give it either. I think
> This pf box has been rebooted after removing that PC.

See darkstat documentation, you can save/reload statistics across
restarts/reboots.
For the next time..

--
pb

Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

Vijay Sankar
In reply to this post by Stuart Henderson
Early this morning I sent a private message to the OP to understand why he was asking this question. It looked from his reply that the objective was to find whether someone had entered the same IP address on different workstations and accessed some unauthorized site.

Not sure if the following is a good suggestion but I thought if he looked at /var/log/messages on his firewall he may be able to see stuff such as:

Jun 23 01:53:12 fw1 /bsd: arp info overwritten for 10.20.0.216 by 58:55:ca:43:83:91 on em0

Jun 23 01:53:12 fw1 /bsd: arp info overwritten for 10.20.0.216 by 00:f7:6f:d4:3d:b6 on em0

etc. and correlate back.

Vijay

Sent from my iPhone

>> On Jun 23, 2017, at 06:47, Stuart Henderson <[hidden email]> wrote:
>>
>> On 2017-06-23, Indunil Jayasooriya <[hidden email]> wrote:
>> Is there any way to get an MAC address of a PC that was connected to
>> OpenBSD PF box but now it is NOT connect to.
>
> If the PF box was serving DHCP and the PC fetched its address that way,
> it will likely still be in the lease database, /var/db/dhcpd.leases.
>
> If this is something which might come up again in the future, you can
> run arpwatch (in ports), but it's no time machine.
>
>

Reply | Threaded
Open this post in threaded view
|

Fwd: Get an MAC address of a LAN PC - OpenBSD

Indunil Jayasooriya
In reply to this post by Stuart Henderson
If the PF box was serving DHCP and the PC fetched its address that way,
it will likely still be in the lease database, /var/db/dhcpd.leases.

no DHCP Server is running.

If this is something which might come up again in the future, you can
run arpwatch (in ports), but it's no time machine.

this may come up in the future. Very very useful pkg.

I installed it.

cd /usr/ports/net/arpwatch/

make install clean

I added  pkg_scripts="arpwatch" to /etc/rc.conf.local  file to start up @
boot.


anyway, I think it runs default on my bge0 interface.

my lan is bge2


I just  hit arpwatch -i bge2 ( man arpwatch )

I want to set bge2 to default.

I cant find any .conf file.

pls guide me.






--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
Reply | Threaded
Open this post in threaded view
|

Re: Get an MAC address of a LAN PC - OpenBSD

lists-2
In reply to this post by Vijay Sankar
Fri, 23 Jun 2017 15:22:09 -0500 Vijay Sankar <[hidden email]>
> Early this morning I sent a private message to the OP to understand
> why he was asking this question. It looked from his reply that the
> objective was to find whether someone had entered the same IP address
> on different workstations and accessed some unauthorized site.

Hi Vijay,

You could also ask Indunil why he was asking this kind of question here?
This is one matter of local policy and technical realisation on premise.

For the time being we could presume from the scarce information provided
that the person asking has not done their homework in all areas related.

How can OpenBSD help him advance from the position of the original post?
By providing the advice to friendly approach the person and advise them.

Software solutions can help as much as procedure & practice are working.
Before going for a technical upgrade make sure you have solved policies.

Why does this matter at all?  Because he can influence the policy making
process there and help him get his fellow off the hook, optionally win a
friend to whom he could show OpenBSD ways to achieve some goal together.

Kind regards,
Anton Lazarov

> Not sure if the following is a good suggestion but I thought if he
> looked at /var/log/messages on his firewall he may be able to see
> stuff such as:
>
> Jun 23 01:53:12 fw1 /bsd: arp info overwritten for 10.20.0.216 by
> 58:55:ca:43:83:91 on em0
>
> Jun 23 01:53:12 fw1 /bsd: arp info overwritten for 10.20.0.216 by
> 00:f7:6f:d4:3d:b6 on em0
>
> etc. and correlate back.
>
> Vijay
>
> Sent from my iPhone
>
> >> On Jun 23, 2017, at 06:47, Stuart Henderson <[hidden email]>
> >> wrote:
> >>
> >> On 2017-06-23, Indunil Jayasooriya <[hidden email]> wrote:
> >> Is there any way to get an MAC address of a PC that was connected
> >> to OpenBSD PF box but now it is NOT connect to.  
> >
> > If the PF box was serving DHCP and the PC fetched its address that
> > way, it will likely still be in the lease
> > database, /var/db/dhcpd.leases.
> >
> > If this is something which might come up again in the future, you
> > can run arpwatch (in ports), but it's no time machine.
> >
> >  
>

12