Translate MAC address to IP address

Robert Watson rwatson at freebsd.org
Wed Aug 13 06:59:18 PDT 2003 

On Wed, 13 Aug 2003, Nick Barnes wrote:

> I have written a small utility for traffic volume monitoring on an
> Ethernet segment.  It uses libpcap to capture the ethernet header of
> every packet and counts traffic volume by source and destination MAC.  A
> bit like a lobotomized tcpdump (and indeed that is what I started with). 

The easiest way would actually be to expand your tool to also look at the
IP header and track usage at the IP level in the first place.  Converting
MAC addresses back to IPs is hard in the world of IPv4 (it's a lot easier
in IPv6 but that probably won't help you :-).  One nice thing about the
tracking at capture time model is that it will allow you to handle
MAC<->IP mapping changes in more flexible ways.  Since you only need the
source/dest IP addresses, you don't even have to deal with IP option
parsing, just check the frame type for IP, then look for the 'struct ip'
after the ethernet frame header.  The usual reference source code I toss
out for this sort of thing is:

  http://www.watson.org/~robert/freebsd/bpfmon.tgz

I recently received patches to make it distinguish source/dest address as
well, so I guess I should stick it in a CVS tree sometime.

> 
> Currently the report looks like this:
> 
> Per-MAC:               out    out      in     in
>                    packets  bytes packets  bytes
> ff:ff:ff:ff:ff:ff:       0      0       4    240
> 00:07:e9:db:2a:26:      71   5435     127  70958
> 00:02:b3:33:37:0f:     389 290734     331  38761
> 00:90:27:ed:3c:70:      33  15909      30   4105
> 00:50:fc:01:f4:0e:       7   1648       5    717
> 00:d0:b7:ac:99:87:     142  15184     153 105835
> 00:03:47:fa:fb:5b:     105  15832      98 115895
> 00:07:e9:92:c0:76:      28   3221      27  11452
> 
> Per-header:                             packets  bytes
> 00:90:27:ed:3c:70 -> 00:d0:b7:ac:99:87:       7   4798
> 00:d0:b7:ac:99:87 -> 00:90:27:ed:3c:70:       6    689
> 00:90:27:ed:3c:70 -> 00:02:b3:33:37:0f:       6    513
> 00:02:b3:33:37:0f -> 00:90:27:ed:3c:70:       6   1273
> 00:02:b3:33:37:0f -> 00:07:e9:92:c0:76:       7    854
> 00:07:e9:92:c0:76 -> 00:02:b3:33:37:0f:       8    958
> 00:02:b3:33:37:0f -> 00:07:e9:db:2a:26:     127  70958
> 00:07:e9:db:2a:26 -> 00:02:b3:33:37:0f:      71   5435
> 00:d0:b7:ac:99:87 -> ff:ff:ff:ff:ff:ff:       2    120
> 00:50:fc:01:f4:0e -> 00:02:b3:33:37:0f:       7   1648
> 00:02:b3:33:37:0f -> 00:50:fc:01:f4:0e:       5    717
> 00:02:b3:33:37:0f -> 00:d0:b7:ac:99:87:     146 101037
> 00:d0:b7:ac:99:87 -> 00:02:b3:33:37:0f:     134  14375
> 00:07:e9:92:c0:76 -> ff:ff:ff:ff:ff:ff:       2    120
> 00:90:27:ed:3c:70 -> 00:07:e9:92:c0:76:      20  10598
> 00:07:e9:92:c0:76 -> 00:90:27:ed:3c:70:      18   2143
> 00:03:47:fa:fb:5b -> 00:02:b3:33:37:0f:     105  15832
> 00:02:b3:33:37:0f -> 00:03:47:fa:fb:5b:      98 115895
> 
>                                  total:     775 347963
> 
> I would like to be able to report by IP address.
> 
> Yours,
> 
> Nick Barnes
> Ravenbrook Limited
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list