[unisog] unisog Digest, Vol 25, Issue 12

johanson@caltech.edu johanson at caltech.edu
Wed Apr 12 21:54:00 GMT 2006

For Cisco equipment there's a tech note on mapping a mac address to a 


The examples use snmpwalk but the process should get you headed where you 
want to go.

Ernie Johanson
Information Security
California Institute of Technology

On Wed, 12 Apr 2006, unisog-request at lists.sans.org wrote:

> Date: Wed, 12 Apr 2006 20:30:09 +0000
> From: unisog-request at lists.sans.org
> Reply-To: unisog at lists.sans.org
> To: unisog at lists.sans.org
> Subject: unisog Digest, Vol 25, Issue 12
> I can't really help with the Java/C coding, but I developed installations
> along these lines in Perl on a Solaris system (using shell calls to
> the CMU SNMP suite of utilities; I actually found that faster than using
> an SNMP Perl module). You're welcome to have a look at my code if you
> wish; please e-mail me offline if you'd like a copy.
> Getting the MAC<->switchport mappings is significantly more difficult than
> getting the ARP tables, for a variety of reasons:
>  - different manufacturers, and even different switches from the same
>    manufacturer, will have the information stored in different places
>    in the MIB, and slightly differently-formatted SNMP queries to
>    get the information out;
>  - you probably want to have some method of sorting out (either on the
>    back end or the front end) whether a particular MAC address appearing
>    on a particular switch port means (a) the end node is using that
>    port as its edge uplink, or (b) the port in question feeds a further
>    switch or network of switches.
>  - Cisco routers cache ARP information for (I think) 4 hours by default,
>    while Cisco switches tend to cache switch table information for (again,
>    I think) 30 minutes, so you'd need to poll more frequently; I've
>    seen Extreme switches, for example, that only cached switch table
>    information for 5 minutes.
>  - your network is bound to have many more switches than routers, so
>    your polling and processing has to be fast to get through all of them
>    in the 30-minute window.
> Having said all that, it's a solvable problem. As noted, please let me
> know via private e-mail if you'd like to see my code.
> --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> On Tue, 11 Apr 2006, stefano wrote:
>> Hi, sorry for my bad english, i know this and i'm working for make it
>> better.. but here come the question: I've known this mailing list reading the
>> previous thread talking about this argument (Getting ARP tables from Cisco
>> switches via snmp -- slightly OT ) after a search on google..
>> I've to develop an* identical* application (that insert in a DB the *MAC*,
>> the* IP* and if is possible the Switch port number..) but i've a condiction,
>> i've to develop this using a java server, not one linux commands or
>> application  (not , but max portability, because some servers are Windows and
>> some are Unix, therefore*_ i can't use smnpwalk or arptrace!!_* ) i must to
>> realize this operation whit *JavaAPIs* or whit portable a source code as a *C
>> code.*
>> I've downloaded the *Adventnet java SNMP API* package, and i can get a
>> variable from the MIB for example the OID / return to me
>> the string value /"Cisco Internetwork Operating System Software \r\nIOS (tm)
>> RSP Software (RSP-JSV-M), Version 12.0(9), RELEASE SOFTWARE
>> (fc1)\r\nCopyright (c) 1986-2000 by cisco Systems, Inc.\r\nCompiled Mon
>> 24-Jan-00 23:15 by bettyl"/ then i can deduce that the APIs work fine. But if
>> i try to get a table, i recive a null pointer, and i don't know how i can do
>> this operation correctly.
>> *anyone can help me?*
>> here there is the bad test code working only with a single MIB variable:
>> /public static void openSNMPSession() throws Exception
>>   {
>>       System.out.println("ci2ao");
>>       SnmpAPI api = new SnmpAPI();
>>       SnmpSession session = new SnmpSession(api);
>>       session.open();
>>       SnmpPDU pdu = new SnmpPDU();
>>       pdu.setRemoteHost("");
>>       pdu.setCommand(SnmpAPI.GET_REQ_MSG);
>>       pdu.addNull(new SnmpOID(".")); //doesn't work
>>       //pdu.addNull(newSnmpOID("//. /")); work
>>       SnmpPDU response_pdu = session.syncSend(pdu);
>>       if(response_pdu == null)
>>       {
>>           System.out.println("The Request has timed out.");
>>       }
>>       else
>>       {
>>                     System.out.println(response_pdu.printVarBinds());
>>           System.out.println("Errors: "+response_pdu.getError());
>>           System.out.println("Account: "+response_pdu.getCommunity()+"\n Ver
>> "+response_pdu.getVariable(10));
>>                 }
>>   }/
> [ PGP Signature check FAILED - Wed Apr 12 14:44:38 PDT 2006 ]

More information about the unisog mailing list