Suppose you have some embedded board with ethernet plugged into the ethernet port on your laptop. You know nothing about it's network configuration (yet). You know it boots, but it is headless and only has an ethernet port. It does NOT have an ip address (yet).
How do you discover the MAC address of the device?
I've looked at arp, arping, arp-scan, arpwatch. The only thing I've found is using tshark and combing through the spew manually.
Running plain tshark or tcpdump produces messy output, because all the traffic originating from your machine gets logged too.
Try
tcpdump -i eth0 -lenq 'ether src not <your_mac>'
-e captures the ethernet frame too-l flushes stdout buffer immediately.-n don't resolve hostnames-q be more quiet.<your_mac> by the MAC address of your local interface as found with e.g ip addr show.eth0 with the correct interface. If you're on Windows, use tshark -D to list all interfaces.tcpdump instead of installing tshark which needs installation of the whole wireshark package. tcpdump should be pre-installed on Ubuntu (it's in the meta-package ubuntu-standard).Alternative: If you want source MAC addresses as output only, do (inspired and shamelessly adapted by OPs comment below)
ETH=eth0;MAC=$(cat /sys/class/net/$ETH/address); tcpdump -lenq -i $ETH "ether src not $MAC" | awk '{print $2}'
Best to start the capture without a link and then plug the cable in.
I don't think there is a way around sniffing traffic. The reason ARP fails, is that the device has no IP address and won't answer to ARP requests.
Another possible solution would be to connect the device to a managed switch and read out the MAC address table, but I feel that's not an option for you.
In any case, to be detectable, the device needs to send out some sort of Ethernet traffic. If you're lucky it sends a DHCP/Bootp discover which you can sniff.
(Edit) Why does the host not hold a MAC table like a switch does? Well, it doesn't need to, because it is not a switch. Unlike a switch the decision which interface puts out an Ethernet frame is made beforehand according to the routing table. The IP packet is wrapped in an appropriate frame after ARP lookup.
Sure, you can turn your machine into a proper L2 switch. You may create a bridge between multiple physical interfaces. I fiddled around with this a bit, and as it turns out you can get a nice MAC table that way!
Install bridge-utils from the repository.
Create a new Ethernet bridge in /etc/network/interfaces
auto br0
iface br0 inet static # dhcp goes as well
address ...
network ...
bridge_ports eth0
up /sbin/brctl setageing br0 300
up /sbin/brctl stp br0 0
This defines a "bridge" (there's really no bridge - just one interface) without spanning-tree stp br0 off. Addresses will age out after 300s. Set this to your liking but not too low.
Bring the bridge up: ifup br0
Check if it's up with brctl show and view the MAC table:
brctl showmacs br0
Profit (?)
Either you can use wireshark to capture all traffic and filter it by bootp, or use -e option to print link-layer info and bootp filter with tcpdump:
http://www.tcpdump.org/tcpdump_man.html
sudo tcpdump -i any port bootps -e
