I have a need to poll a network and gather the MAC addresses of the
systems on the network.  I know it's possible in a simple network as I
use freeware tools to do so.

My question is whether the MAC addresses are available on networks
that have routers, switches, proxy servers and other such hardware and
software.  Or do these tools filter out the MAC addresses?

I am interested in both a definitive answer and web pages that are
related to the question.

---

Request for Question Clarification by keystroke-ga on 24 Aug 2006 16:34 PDT

Do you have access to Windows Server 2003 as your DHCP?

--Keystroke-ga

---

Request for Question Clarification by maniac-ga on 24 Aug 2006 17:19 PDT

Hello Kentmm,

In general, it is only possible to collect MAC addresses on your local
segment. As your question implies, "these tools" (routers, proxy
servers, etc.) will filter out the MAC addresses. Would you be
satisfied with a definitive answer explaining that concept and the
types of devices that would / would not filter out MAC addresses?

I believe keystroke is suggesting an alternate method by relying on a
specific server capability which would not work in general. If the
network you are polling does not have that server (or one similar to
it), the method would not be available. Please clarify if you want
that kind of capability described as well.

  --Maniac

---

Clarification of Question by kentmm-ga on 28 Aug 2006 12:51 PDT

The network administrators are willing to configure hardware and
software to let the MAC addresses come through.  Given this, are there
any software or hardware impediments where the original MAC addresses
would be filtered out?

---

Request for Question Clarification by maniac-ga on 28 Aug 2006 17:57 PDT

Hello Kentmm,

Hmm. I am not so sure your network administrators will be able to set
up your network the way you want (or if they do, you will see some
significant performance problems). Let me explain first with a
reference:
  http://www.practicallynetworked.com/networking/bridge_types.htm
which describes a few of the network devices used to connect several
systems together.

The simplest is a "hub" which exchanges all the data on all the
connected ports. I have one at home that I use to connect seldom used
computers together. Its this kind of connection that can give you
access to data for all the systems & you can collect the MAC addresses
with that method. It has a significant disadvantage that it does not
scale very well (poor performance with many machines sharing the
bandwidth).

The "bridge" connects two network segments together, but only repeats
information that is going "across" the bridge. If you have a set up
like this:
  polling machine -- bridge -- other machine
than you won't see messages from the "other machine" unless it sends a
message to a machine on the same side as your polling machine. If you
do poll, (say with a broadcast packet) you would get a message from
the "other machine" unless the bridge was overloaded [a likely
occurrence]. For performance, its a "little" better than a hub, but
not by much.

A "switch" will send your polling machine messages only if they are either:
 - a broadcast message
 - directed to your polling machine
The use of switches is pretty common in relatively small areas,
especially if the uplink is much faster than the connections to
individual machines (e.g,. 1000 Mbit uplink with a 10/100 Mbit
switch). If you poll through a switch, you will get the MAC address of
each machine that responds.

A "router" will send messages to your polling machine, but the MAC
address will be that of the router, not the originating machine. If
you have a router (or for that matter, a proxy server) you won't get
the MAC addresses from the messages received.

Having said that, some better routers (and some switches) allow you to
set up a "monitor port" where you can monitor one or more other ports.
Here's an example from Cisco
  http://www.cisco.com/univercd/cc/td/doc/product/voice/ics/icsapps/icscra/cra30/icsspan.htm
Depending on the hardware (and its software), you would have to set up
the monitoring to step through the available ports to collect all the
MAC addresses.

Not described in the link I provided are "gateway's" which convert
between protocols (e.g., Ethernet to a WAN connection). In this case,
messages from the gateway will have the MAC address of the gateway -
the equivalent MAC address on the other side may have no relationship
to the MAC addresses defined by Ethernet.

Like I said before, it really depends on your network set up and
devices in use. If your network administrators set up the links like a
hub or switch, you can collect all the MAC addresses on your network.
If you do this, I suggest doing this only when the network is lightly
loaded & then going back to your regular set up when your polling is
done.

Let me know if you want me to complete the answer with the proper web
page references.

  --Maniac

---

Clarification of Question by kentmm-ga on 29 Aug 2006 10:15 PDT

Maniac:

Thank you for your latest expounding on the question.  It is just what
I am looking for.  By all means, complete the answers with any
references.  You've certainly earned your pay here.

-- Kent

Hello Kentmm,

OK. Let's first provide some general references that describe the
specific devices used in a network and then how they affect the
transport of the Media Access Control (MAC) Address.

http://www.practicallynetworked.com/networking/bridge_types.htm

describes a number of network devices (hub, bridge, switch, and
router) and I expanded on those previously

http://www.bitzenbytes.com/Content-Arcanum-18-1-33.html

another reference (not quite as well organized, but explains some
concepts better) that describes a hub, switch, router, bridge, and
gateway. Note in this reference the generalization is made that a
switch can be considered a "multi port" (not two port) bridge.

http://www.netunlimited.com/glossary.html

a glossary (one of several) that describes these terms as well as
several other network related terms.

For additional references, try a search phrase like
  explain switch hub router
  describe switch hub router
  switch hub router gateway bridge
  glossary switch hub router

Now, specifically let's review the devices that will allow (or
prevent) a MAC address to be relayed across the network.

As the simplest device, the hub will send MAC addresses since it
copies all messages to all ports.

The bridge will do the same, but only on messages that are generated
on one side of the bridge and expected on the other side of the
bridge. Most bridges "learn" the MAC addresses on both sides of the
bridge to determine which messages to send across.

The switch acts in a similar manner - for a single port, that port
will only get the messages that are destined to the machine at the
other end. Those can be broadcast messages or messages in response to
a machine that polls the other systems.

At the higher end, a router, gateway, or a proxy server manipulates
the messages at a "higher layer" than the layer where MAC addresses
are used. At webopedia, there is a reference for the OSI network model
at
  http://www.webopedia.com/quick_ref/OSI_Layers.asp
which describes the MAC addresses at layer 2. The router or gateway
typically operates at layer 3 (the network layer). The proxy server
can operate at that level (for filtering by address) or more often at
higher layers (e.g., an HTTP cache server at layer 7).

Because of that manipulation, the MAC address used on the messages to
and from those kinds of devices will be for that device (or more
specifically for the interface connected to that device - a router
will often have a different MAC address for each interface). You won't
be able to get the MAC address from a machine on the other side of
that device unless you use a special capability such as the port
mirroring described at
  http://www.cisco.com/univercd/cc/td/doc/product/voice/ics/icsapps/icscra/cra30/icsspan.htm
which provides messages on the monitoring port that mirror those on another port.

If any portion of the answer is unclear or incomplete, please make a
clarification request. I would be glad to add to the answer as needed.

  --Maniac

Excellent answer.

BTW, Maniac, I've asked a followup question titled "Looking for
commercial software prgm to see when machines are taken off network". 
As you can see, I'm abandoning my approach of doing it myself.  If you
know of a commercial program, I sure invite you to answer that one. 
-- Kent

My network router is set to block requests for MAC addresses, and I
suspect most are. At least they should be!

By their very nature, a MAC address will *not* pass through a router,
and are limited to what is considered a single ?broadcast domain?.  A
repeater or a bridge will transmit the MAC address, but a router acts
as a border to that broadcast domain.  If you're looking to decode
received packets, any packet that passes through a router will have
the associated MAC address of the router, not the originating system.

Hope this helps.