Probe for MAC addresses

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

  • Method 1
    If you have NT's Resource Kit, it includes getmac.exe which will query NT boxes for this information. I don't know if getmac works when querying Win9x. If you enter getmac without parameters, it looks at the local nics. For example:
    
    C:\>getmac
    
    Transport Address  Transport Name
    -----------------  --------------
    00-50-DA-BD-0F-BC  \Device\NwlnkNb
    00-50-DA-BD-0F-BC  \Device\Nbf_El90x1
    00-50-DA-BD-0F-BC  \Device\NetBT_El90x1
    
    
    The obvious limitation is that its a Microsoft-centric utility. Will it successfully query nics used by linux or other OSs? No. To see available commandline options, type getmac /? which will display:
     
    
    Displays Network Transports and Address Information
    GETMAC [\\computername] or [computername.domain.com]
    
    

    You can use the following batch files as starting points for grabbing mac addresses from NT boxes.

    getmaclist.bat :

    
    
    date /t > allmacs.txt
    time /t >> allmacs.txt
    net view | find "\\" > maclist.txt
    for /f %%a in ('type maclist.txt') do call getmacadr %%a
    
    A little explanation:

    date /t > allmacs.txt create file allmacs.txt and write current date to file
    time /t >> allmacs.txt add line with current time to file allmacs.txt
    net view | find "\\" > maclist.txt get lists of domain members the PC is a member of and write results to file maclist.txt
    for /f %%a in ('type maclist.txt') do call getmacadr %%a reads maclist.txt and sends each line(hostname) to be processed by batch file getmacadr sending it hostname as parm %%a

    getmacadr.bat is a oneline batch file:

    getmac %1 >> allmacs.txt

    which calls the reskit utility getmac with parm of hostfrom_maclist.txt and writes the results out to allmacs.txt.

    This is fairly primitive DOS style scripting resulting is an unprocessed raw listing. Its a starting point. If you need to move the information into access or sql, consider using a powerful scripting language like perl. Additional comments:

    net view takes the /domain: parm, so getmaclist.bat can be extended to get list of active hosts in a domain as in:

    net view /domain:workgroup | find "\\" > maclist.txt
    net view /domain:your_acct_domain | find "\\" >> maclist.txt
    net view /domain:resourcedom1 | find "\\" >> maclist.txt  et cetera
    

  • Method 2
    ping broadcast mask
    arp -a

    The Windows NT FAQ site documents a way to use this approach which gets around the limited functionality of NT's ping. Search their site using keyword arp to find the specific article. Arp has the advantage that it works if the nic has ip loaded.

  • Method 3
    nbtstat -a machinename
    -or-
    nbtstat -A ipadress

    nbtstat is a Microsoft targeted utility working against NT, W2K, and Win9x hosts. If your site uses, DHCP:

  • Method 4
    dhcpcmd <DHCP server> enumclients <sub-net address> -h

    dhcpcmd is a Windows NT Resource Kit utility. -h specifies detailed hardware info (i.e. MAC address)

  • Method 5
    Probably the best method is to pull the mac data from your routers using an snmp utility or from a network sniffer (assuming the sniffer is on a backbone segment where it can sniff packets from most devices).

If your issue is to control the MAC address of your own NT workstation:

For most NICs, navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<NICDriver<X>>\NetworkAddress

where <NICDriver<X>> is the name of the driver for your NIC plus a number (usually 1). From there you would set the value of NetworkAddress to whatever you want your MAC address to be. Deleting the key or setting the value to an empty string will cause the MAC address to default to the Hardware address.

For Compaq network adapters:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net\000<x>\ NetworkAddress

where <x> is the number of the network adapter.

For Windows 2000, Microsoft used a variant of Compaq's approach:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\<One Big number>\<One Little Number>\NetworkAddress

where <One Big number> is some kind of driver ID and <One Little Number> is the NIC's sequential number within the system.

See Also

Featured Links