Show MAC in arp-fingerprint

Question

Show MAC in arp-fingerprint

Bogdan107 opened this issue 2 years ago · comments

Bogdan107 commented 2 years ago

I monitor devices in local network by arp-scan --local and register each MAC in database.

I want to register also fingerprints for each MAC.

I need to use 2 commands:

arp-scan --local - to get list of MAC's;
arp-fingerprint -l - to get fingerprints.

The arp-fingerprint command already use MAC addresses inside and can put MACs into output.
With MAC addresses in the output, I can use only 1 command.

May you add MAC addresses to result of arp-fingerprint command?

Feature request:

Add --mac or -m command line argument to arp-fingerprint command, which enable MAC addresses in to results.

Actual result:

# arp-fingerprint -l
192.168.0.1     11110101100     UNKNOWN

Expected result:

# arp-fingerprint -l -m
192.168.0.1     AA:BB:CC:DD:EE:FF     11110101100     UNKNOWN

or

# arp-fingerprint -l -m
AA:BB:CC:DD:EE:FF     192.168.0.1     11110101100     UNKNOWN

Roy Hills · Answer 1 · Fri Jan 06 2023 23:46:48 GMT+0800 (China Standard Time)

Thank you for your suggestion.

The arp-fingerprint command already use MAC addresses inside

Not quite: arp-scan uses MAC addresses, but arp-fingerprint doesn't currently use MAC addresses at all. But it should be able to obtain the appropriate MAC address by parsing the arp-scan output.

arp-fingerprint hasn't been updated since version 1.9.3, so it is due an update. I'll link a pull-request for changes to this ticket.

Roy Hills · Answer 2 · Sat Jan 07 2023 00:43:03 GMT+0800 (China Standard Time)

Initial changes on arp-fingerprint-changes branch.

Test network:

192.168.14.1   VMware virtual host adapter
192.168.14.2   VMware NAT gateway
192.168.14.130 Windows 11
192.168.14.137 FreeBSD 13
192.168.14.159 Fedora 37
192.168.14.254 VMware DHCP

Results:

rsh@bookworm:~$ arp-fingerprint -l
192.168.14.1    00:50:56:c0:00:08       01010100000     Linux 2.2, 2.4, 2.6, 3.2, 3.8, 4.0, 4.6, Vista, 2008, Windows7, Windows8, Windows10
192.168.14.2    00:50:56:e4:9a:83       10010000000     UNKNOWN
192.168.14.130  00:0c:29:eb:47:f7       01010100000     Linux 2.2, 2.4, 2.6, 3.2, 3.8, 4.0, 4.6, Vista, 2008, Windows7, Windows8, Windows10
192.168.14.137  00:0c:29:b9:43:1b       11110000000     Linux 2.0, MacOS 10.4, IPSO 3.2.1, Minix 3, Cisco VPN Concentrator 4.7, Catalyst 1900, BeOS, WIZnet W5100
192.168.14.159  00:0c:29:a1:30:b0       01010100000     Linux 2.2, 2.4, 2.6, 3.2, 3.8, 4.0, 4.6, Vista, 2008, Windows7, Windows8, Windows10
192.168.14.254  00:50:56:eb:4e:ec       11110111111     PIX OS 6.0, 6.1, 6.2, ScreenOS 5.0 (transparent), Plan9, Blackberry OS

Bogdan107 · Answer 3 · Sat Jan 07 2023 07:47:16 GMT+0800 (China Standard Time)

I think, that command arp-fingerprint was used in the other systems for a very long time. For example, this command may be used in the monitoring tools, like Zabbix.

This function, activated in the program without an additional option, such as --mac or -m, can violate all software systems that use the arp-fingerprint tool.

May you turn on this function as an option that is activated by a separate argument?

Roy Hills · Answer 4 · Sat Jan 07 2023 21:16:13 GMT+0800 (China Standard Time)

May you turn on this function as an option that is activated by a separate argument?

Agreed that we shouldn't break other tools/scripts by changing the output format. I've added a -m option to include the MAC address in the output:

rsh@bookworm:~$ arp-fingerprint 192.168.14.1
192.168.14.1    01010100000     Linux 2.2, 2.4, 2.6, 3.2, 3.8, 4.0, 4.6, Vista, 2008, Windows7, Windows8, Windows10

rsh@bookworm:~$ arp-fingerprint -m 192.168.14.1
192.168.14.1    00:50:56:c0:00:08       01010100000     Linux 2.2, 2.4, 2.6, 3.2, 3.8, 4.0, 4.6, Vista, 2008, Windows7, Windows8, Windows10

Roy Hills · Answer 5 · Wed Jan 11 2023 22:48:20 GMT+0800 (China Standard Time)

The changes have been pushed to master.

Roy Hills · Answer 6 · Sat Jan 14 2023 21:31:11 GMT+0800 (China Standard Time)

Closing ticket as resolved.