Resolving MAC Address from IP Address in Linux

If you just want to find out the MAC address of a given IP address you can use the command arp to look it up, once you've pinged the system 1 time.

Example

$ ping skinner -c 1
PING skinner.bubba.net (192.168.1.3) 56(84) bytes of data.
64 bytes from skinner.bubba.net (192.168.1.3): icmp_seq=1 ttl=64 time=3.09 ms

--- skinner.bubba.net ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.097/3.097/3.097/0.000 ms

Now look up in the ARP table:

$ arp -a
skinner.bubba.net (192.168.1.3) at 00:19:d1:e8:4c:95 [ether] on wlp3s0

fing

If you want to sweep the entire LAN for MAC addresses you can use the command line tool fing to do so. It's typically not installed so you'll have to go download it and install it manually.

$ sudo fing 10.9.8.0/24

   

Using ip

If you find you don't have the arp or fing commands available, you could use iproute2's command ip neigh to see your system's ARP table instead:

$ ip neigh
192.168.1.61 dev eth0 lladdr b8:27:eb:87:74:11 REACHABLE
192.168.1.70 dev eth0 lladdr 30:b5:c2:3d:6c:37 STALE
192.168.1.95 dev eth0 lladdr f0:18:98:1d:26:e2 REACHABLE
192.168.1.2 dev eth0 lladdr 14:cc:20:d4:56:2a STALE
192.168.1.10 dev eth0 lladdr 00:22:15:91:c1:2d REACHABLE

References

• Equivalent of iwlist to see who is around?

You can use arp command:

arp -an

But you can only use this command in LAN, if you want to find out the MAC address of any remote host, maybe you must use some tool to capture the packet like tcpdump and parsing the result.

This is from my question and answer in askubuntu.

You can use the command

   sudo nmap -sP -PE -PA21,23,80,3389 192.168.1.*

nmap: Network exploration tool and security / port scanner. From the manual:

-sP (Skip port scan) . This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.

-PE; -PP; -PM (ICMP Ping Types) . In addition to the unusual TCP, UDP and SCTP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts.. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by RFC 1122[2]. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal network, they can be a practical and efficient approach. Use the -PE option to enable this echo request behavior.

-A (Aggressive scan options) . This option enables additional advanced and aggressive options.

21,23,80,3389 Ports to search through

192.168.1.* Range of IPs. replace with yours.