It is currently Tue Sep 17, 2019 9:42 pm


All times are UTC




Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Script: TraceMAC tool - Like traceroute for MAC addresses
PostPosted: Mon Aug 22, 2011 10:12 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Hi,

Well, this will probably not work with GNS3, but is very useful in "real world" if you have a network with dozens of switches (like me ;)
How do you find where a PC is connected in your network if you don't have a database/notebook with all those informations?
Probably like me ;) connecting to core SW and start to track that mac, switch by switch... Ugly!, but works :)

Recently I reconfigured all the switches at work and added some security stuff (port-security,storm-control,bpduguard,non vlan 1,separated man vlan, etc) and users
start complaining that the network is no longer working ;) and in this way we found 3 loops inside the network (after asking users why they plug the cable coming from
a unmanaged SW back to it, they simply said, that the cable was hanging down and it had to be plugged somewhere ;)
But now everything works just nice...

So, I've create a script to do it automatically for me and few minutes ago after finishing that script I try to see is there is something else that can do the same
and THERE IS :)))) Cisco IOS command "traceroute mac" (l2trace).
For more info about l2trace see: The ciscozine.com tutorial or Using the Layer 2 Traceroute Utility.

Anyway I will still put this here because it can do some stuff unsupported by "traceroute mac" command (no need to specify a source mac address, but a Sw from where to start looking, and can trace for more than 10 switches chain)

Note: It works with Cisco switches Only and you must have CDP enable at least on trunks/links between switches!

Latest version of TraceMAC is v0.5 - [Download for Windows] - [Download for Linux]


Code:
C:\> tracemac
TraceMAC v0.5 for Cisco Switches, by Ninel Piroi <ninix20(at)gmail(dot)com> - 09/Mar/2013

Usage:
'tracemac <TARGET_IP/TARGET_MAC>  <SWITCH_IP>' - Trace a Mac Address
'tracemac -c'                                  - Edit configuration file in Notepad

TARGET_IP = The IP address or Hostname for the device you are searching for;
            This script will try to determine its MAC address.
TARGET_MAC= The MAC address you are searching for;
            Any MAC address formats are allowed. (Unix, Cisco or Windows style)
SWITCH_IP = Switch IP address/Hostname from where to start the search. (Optional);
            There is a default value for this switch IP in the configuration file.

Tested with Cisco SW: 2960,3560,3750,4948,6509,Express 500

[WARNING]
*> In order to work properly all switches must have enabled CDP between up-links!

[Tool Description]
*> Script used to search a specific MAC address in a large layer2 network (Switches);
   It is doing that by querying the switches CAM table until it finds the
   interface that learned that MAC address, but has no CDP neighbor on it.
*> You can search using a IP address or a MAC address. The script is automatically
   detecting if the input query is a MAC or not. If a IP/Hostname is used, then
   the script should be run from a PC that is on the same VLAN/Subnet with that
   IP/Hostname, because is trying to get the MAC address by using PING and ARP.
   Anyway, if the target IP/Hostname is not in the same VLAN/Subnet, the script will
   use another method to get the MAC address over Layer3 using a external device
   like a Cisco Router/Layer3 Switch or a Linux Router/Firewall, also the windows
   version of this script can use NETBIOS scan (UDP-137) to detect the MAC address,
   but if the target is not a Windows PC or is protected with a firewall will not work!

[Login informations]
*> This script supports multiple protocols used to connect to Cisco switches in order
   to extract the required informations, so please edit the file 'tracemac_cfg.ini'
   according to your needs;
*> It also can try to connect to a switch using multiple ways if the first protocol
   fails, by changing to another protocol (for more info check the config file);
*> For SSH/Telnet it requires a recommended 'privilege level 1' account;
*> For HTTP/HTTPS use a account with privilege level 15, if privilege 1 fails;
*> For SNMP version 1 and 2c requires a read-only 'community string';
*> For SNMP version 3 requires a read-only SNMPv3 username.

C:\> tracemac 10.99.99.99 172.20.99.225

TraceMAC: 0023.7bc9.01aa - (10.99.99.99) - [MAC detection: "External Unix device: '192.168.15.1->eth2.30'"]

1) SW_xx_23 - 172.20.99.225 [WS-C2960-8TC-L] Gi0/1 -> Gi1/0/23 SW_xx_65 - 172.20.99.224
2) SW_xx_65 - 172.20.99.224 [WS-C3750G-48TS] Gi1/0/24 -> Gi0/20 SW_xx_43 - 172.20.99.217
3) SW_xx_43 - 172.20.99.217 [WS-C3560G-24TS] Gi0/21 -> Gi1/0/40 SW_xx_42 - 172.20.99.216
4) SW_xx_42 - 172.20.99.216 [WS-C3750G-48TS] Po3(Gi1/0/41) -> Gi0/48 SW_xx_55 - 172.20.99.1
5) SW_xx_55 - 172.20.99.1 [WS-C3560G-48TS] Po5(Gi0/52) -> Gi1/46 SW_xx_61 - 172.20.99.80
6) SW_xx_61 - 172.20.99.80 [WS-C4948] Gi1/9 -> Gi2 SW_xx_99 - 172.20.99.21
7) SW_xx_99 - 172.20.99.21 [WS-CE500-24TT] Fa5 (Vlan30) - "Room 129, Outlet 3A, John Smith PC"

TraceMAC completed!




Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Wed Mar 07, 2012 7:33 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Hi,

I don't know how many of you used this script ;))
but I've made a new version of TraceMAC v0.2

New Features:
*Allow you to set a default Switch inside the configuration file, so you don't need to enter the switch IP/Hostname all the time
this can be overwritten by using a second parameter in the command line Ex: 'tracemac x.x.x.x <SW_IP>'
*Automatically detects if the input query is a MAC address or a IP/Hostname, so no "-m" parameter required
*Add MAC scan method by using NETBIOS for Layer3 detection (Optional, default DISABLED)
*Add all the configuration in one single file "tracemac_cfg.ini"
*The package contains all the necessary tools: Plink, Gawk, Nbtscan - (This is the reason for 300k)
*Improve the code and fix some minor issues

Note:
It works with Cisco switches Only and you must have CDP enable at least on trunks/links between switches!
Also is recommended to add the script location to the system PATH, to be able to start it without going to its directory...

PS: Let me know if something is missing.

Cheers!


Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Thu Mar 08, 2012 12:24 am 
Offline
Site Admin

Joined: Sat Oct 11, 2008 1:41 pm
Posts: 2668
Location: Canada
Thanks for sharing. I may use it :)

Cheers,

_________________
Jeremy, GNS3 Programmer & Benevolent Dictator for Life.


Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Fri Mar 23, 2012 10:02 pm 
Offline

Joined: Fri Mar 23, 2012 9:31 pm
Posts: 1
Script does not allow using telnet with password. I guess this is the limitation of plink :(


Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Mon Mar 26, 2012 11:44 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
juvcuong wrote:
Script does not allow using telnet with password. I guess this is the limitation of plink :(

My mistake, I use it only with SSH.
So, I didn't test it for telnet, just assumed it would be the same, but PLINK requires different syntax for telnet ;)
I've fix the code, but needs some more testing, and will be ready ~tomorrow...


Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Wed Mar 28, 2012 11:45 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Hi,

A new version of TraceMAC v0.3 is available

New Features:
*Fix the error for Telnet protocol with Plink
*Add the http and https protocols with Wget for switches like Express 500 (this one has no console/telnet/ssh, only web access)
*Add optional different username/password for http/https
*Add the possibility to use multiple protocols and if one fails it goes automatically to the next one. ssh,telnet,http,https
*Add error management for Plink/Wget
*Add option to show/hide multiple errors when multi protocols is used
*The package contains all the necessary tools: Plink, Wget, Gawk, Nbtscan - (This is the reason for 546k)
*Improve the code and fix some minor issues

NOTE: Don't use Plink v0.62 because it has a issue if the user/password are not correct.
It doesn't close the connection from the first access denied error message, but let the script enter all show commands as passwords :(
Anyway, the login user should be valid all the time! ;)

PS: Let me know if something is missing.

Cheers!


Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Tue Apr 17, 2012 8:53 pm 
Offline

Joined: Tue Apr 17, 2012 8:43 pm
Posts: 3
Yes, I admit it, I'm stooping to asking you to code a change specific to my needs...but I'm not very good at scripting and I'd like to see if this can be altered to read a text file for a list of IP addresses as input and output to a format that can be imported into a spreadsheet. All I really need is the final MAC address mapped to the IP address, though the other information (switch name and port number) may be useful at some point in the future.

My instincts say that it would not be a big change - at least in consideration of the amount of work that you've already done, but even tic-tac-toe is a tough nut for a blind man. (consider me blind)

Thanks!


Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Tue Apr 24, 2012 9:26 am 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Hi,

This is a good idea to scan/index the entire network and create a full map of the connected devices. And then populate those entries this with room number where is physically installed, people assigned to, etc.
It should log the output in a text file (csv format), sorted by ip/switches/ports/etc and use a scheduled rescan until it process all the IP addresses from a input file.
Anyway there are 2 ways to do this IP Address to MAC address "scan" active or passive
For active scan I used NMAP and for passive scan (sniffing) Windump/Tshark
The part with input file works great with active mode, anyway can be used as a filter even with passive scan.
Regarding this tool it must be completely redesigned because you probably don't want to know all switches until it find the mac address, just the directly connected to the host.

I might need this tool as well ;))

Code:
NMAP -n -sP 10.x.x.x/24

TSHARK  -i \Device\NPF_%eth% -lnp    arp 2>NUL | GAWK "/Who has/{gsub(/:/, \"\", $2); print $NF \"\t\" toupper($2)}"

WINDUMP -i \Device\NPF_%eth% -elnpqt arp 2>NUL | GAWK "/who-has/{gsub(/:/, \"\", $1); print $NF \"\t\" toupper($1)}"


Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Thu Apr 26, 2012 1:13 pm 
Offline

Joined: Tue Apr 17, 2012 8:43 pm
Posts: 3
Hi, thanks for replying!

In my particular situation, the Active scanning method will be necessary, and while I have attempted to use NMAP, because of the size and diversity of the network I am not able to get the MAC information since I'm not able to get down to each broadcast domain and scan there. That's why I was so excited about the possibility of pulling this information through the network by using CDP.

As long as the output is into a format that can be imported into the spreadsheet, (.csv) and there is some way to segregate the MAC data into its own column, (and IP address into its column) I don't mind the other information - I can just not use it for the time being. I suspect though, that what you're saying is that the information would not be in that kind of orderly fasion, so that I would be able to have all of the MAC information (for instance) in the same column each time. Is that correct?

Is it possible to somehow place that piece of information into a variable that is then called at the end? Again, I'm no programmer; I'm just reaching for a solution.

Thanks!


Top
 Profile  
 
 Post subject: Re: Script: TraceMAC tool - Like traceroute for MAC addresse
PostPosted: Fri Jun 29, 2012 7:53 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Hi,

A new version of TraceMAC v0.4 is available

New Features:
*Add support for SNMP versions 1 and 2c
*Improve the code

Cheers!




Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO