1. Introduction
When troubleshooting connectivity or performing specific actions within a network, it can be useful to ping a device by its Media Access Control (MAC) address. Pinging a device relies on using the IP address, which operates at the network layer of the networking protocol stack. However, there are situations where the IP address may not be available or known.
In such cases, when we need to communicate directly with a device using its MAC address, alternative approaches might be necessary. Accordingly, by leveraging the Address Resolution Protocol (ARP), we can discover the associated IP address through the ARP cache or by sending ARP requests to a specific MAC address.
In this tutorial, we’ll learn how to efficiently check the availability of a device in the network via its MAC address.
2. Using arping
arping is a command-line utility that sends Address Resolution Protocol (ARP) requests to a specific MAC address to verify its presence on a network. arping enables us to ping a device by its MAC address instead of its IP address.
First, let’s install arping via apt-get:
$ sudo apt-get install arping
Then, we can use nmap to find MAC addresses in the network:
$ sudo nmap -sn 10.211.55.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-14 12:37 UTC
Nmap scan report for prl-local-ns-server.shared (10.211.55.1)
Host is up (0.00037s latency).
MAC Address: 00:1C:42:00:00:18 (Parallels)
Nmap scan report for 10.211.55.2
Host is up (0.00025s latency).
MAC Address: 16:7D:DA:F4:27:64 (Unknown)
...
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.07 seconds
In this example, we used -sn to scan focused on determining which hosts are up and responsive on the network. In addition, the output provides information about the discovered hosts within the specified network address range, including their IP addresses, MAC addresses, and responsiveness.
At this point, we use arping to ping by any found MAC address:
$ sudo arping -c 2 -I enp0s5 16:7D:DA:F4:27:64
ARPING 16:7D:DA:F4:27:64
62 bytes from 10.211.55.2 (16:7d:da:f4:27:64): icmp_seq=0 time=294.351 usec
62 bytes from 10.211.55.2 (16:7d:da:f4:27:64): icmp_seq=1 time=367.207 usec
--- 16:7D:DA:F4:27:64 statistics ---
2 packets transmitted, 2 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.294/0.331/0.367/0.036 ms
In this case, we used -c to define the number of ARP requests to send. Moreover, -I indicates enp0s5 as the network interface for sending the requests.
The output shows that arping successfully sent two ARP requests to the specified MAC address via the network interface enp0s5 and received responses.
Notably, we also obtained the mapping of IP addresses associated with the given MAC address.
3. Using arp
arp is a command-line tool that allows users to view and manage the Address Resolution Protocol (ARP) cache. In addition, arp provides information about the association between IP and MAC addresses on a local network.
Here, we’ll first retrieve the associated IP address from the MAC address and then ping by IP instead of MAC.
Let’s use arp to find the IP address associated with a given MAC address:
$ arp -n | grep 16:7d:da:f4:27:64
10.211.55.2 ether 16:7d:da:f4:27:64 C enp0s5
Here, we used -n to disable name resolution. Afterward, we piped to grep to search for a specific MAC address within the output. Moreover, the output shows the IP mapping of the MAC address 16:7d:da:f4:27:64 is 10.211.55.2.
Now, we can ping the IP address:
$ ping 10.211.55.2
PING 10.211.55.2 (10.211.55.2) 56(84) bytes of data.
64 bytes from 10.211.55.2: icmp_seq=1 ttl=64 time=0.850 ms
64 bytes from 10.211.55.2: icmp_seq=2 ttl=64 time=0.296 ms
--- 10.211.55.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1019ms
rtt min/avg/max/mdev = 0.296/0.573/0.850/0.277 ms
In this example, two ICMP echo requests were successfully transmitted and received, indicating a responsive network connection.
4. Using arp-scan
arp-scan is a command-line tool to actively scan and discover devices on a network by sending ARP requests. Hence, we can use arp-scan to check the availability of a MAC address in the network.
First, let’s install arp-scan:
$ sudo apt-get install arp-scan
Then, we can send ARP requests to a specific Network Interface Card (NIC):
$ sudo arp-scan --destaddr=00:50:56:fd:38:2c --localnet
Interface: ens33, type: EN10MB, MAC: 00:0c:29:e7:46:2b, IPv4: 192.168.244.129
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.244.2 00:50:56:fd:38:2c VMware, Inc.
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.945 seconds (131.62 hosts/sec). 1 responded
In this example, we used –destaddr to specify the desired MAC address. Moreover, arp-scan needs target hosts specification as an argument. Hence, we can use IP addresses or hostnames. Further, –localnet can be used in which case the targets are generated from the network interface IP address and netmask.
Finally, arp-scan performed an ARP sweep on the local network with a specific target MAC address. As a result, arp-scan discovered one host 192.168.244.2 with its corresponding MAC address, verifying its availability.
5. Using Bash Script
Of course, we can also use a Bash script, but we still need arp to find the associated IP address. Then, we use ping to send ICMP echo requests to the discovered IP address.
Let’s take a look at the script via cat:
$ cat ping_mac.sh
#!/bin/bash
# Function to ping a specific MAC address
ping_mac_address() {
mac_address="$1"
ip_address=$(arp -n | grep "$mac_address" | awk '{print $1}')
if [ -n "$ip_address" ]; then
ping -c 2 "$ip_address"
else
echo "MAC address not found in ARP cache."
fi
}
# Main script
mac_address="$1" # Get MAC address from a command-line argument
ping_mac_address "$mac_address"
In this case, the script gets the MAC address as an argument, then uses arp to retrieve the associated IP address. If the MAC address is found in the ARP cache, we send two echo requests. Otherwise, we display an error message:
$ ./ping_mac.sh 00:1c:42:00:00:18
PING 10.211.55.1 (10.211.55.1) 56(84) bytes of data.
64 bytes from 10.211.55.1: icmp_seq=1 ttl=128 time=0.350 ms
64 bytes from 10.211.55.1: icmp_seq=2 ttl=128 time=0.398 ms
--- 10.211.55.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1029ms
rtt min/avg/max/mdev = 0.350/0.374/0.398/0.024 ms
In this example, the script successfully pinged the IP address 10.211.55.1, which is associated with the given MAC address 00:1c:42:00:00:18 in the ARP cache.
The output shows that two ICMP echo requests were transmitted to and received by the respective IP address without any packet loss.
6. Conclusion
In this article, we explored various ways to check the availability of a device in the network by its MAC address. Some methods rely on direct MAC pings, while others first attempt to discover the associated IP address and use that. The best method depends on our specific needs and preferences.