Generating a Report of ARP Table Information

Problem

You need to extract the ARP table from one of your routers to determine the MAC address associated with a particular IP address or the IP address for a particular MAC address.

Solution

The script in Example 2-3, arpt.pl, extracts the ARP table for a specified router or IP address and displays the results to standard output. The script expects to find a hostname or IP address of a router on the command line.

Example 2-3. arpt.pl

#!/usr/local/bin/perl
#
# arpt.pl -- a script to extract the ARP cache from a router. 
#
#Set behavour
$snmpro="ORARO";
#
$snmpwalk="/usr/local/bin/snmpwalk -v 1 -c $snmpro";
$snmpget="/usr/local/bin/snmpget -v 1 -c $snmpro";
chomp ($rtr=$ARGV[0]);
if ( $rtr eq "" ) {die "$0: Must specify a router 
"};
@iftable=Q$snmpwalk $rtr ifDescrQ;
for $ifnum (@iftable) {
 chomp (($intno, $intname) = split (/ = /, $ifnum));
 $intno=~s/.*ifDescr.//;
 $intname=~s/"//gi;
 $arpint{$intno}=$intname;
}
printf ("%-22.22s %-10.10s %-25.25s
", Address, MAC, Interface);
@atTable=Q$snmpwalk $rtr .1.3.6.1.2.1.3.1.1.1Q;
for $atnum (@atTable) {
 chomp (($atip, $atint) = split (/ = /, $atnum));
 $atip =~ s/.*atIfIndex.[0-9]+.1.//;
 $atphys=Q$snmpget $rtr atPhysAddress.$atint.1.$atipQ;
 chomp(($foo, $phys) = split(/: /, $atphys));
 $phys=~s/ /-/gi; chop ($phys);
 $phys=~tr/A-Z/a-z/;
 $int=$arpint{$atint};
 printf ("%-15.15s %17.17s %-25.25s
", $atip, $phys, $int);
}

Discussion

The arpt.pl script extracts the ARP table from a specific router using SNMP and displays it to standard output. The script requires Perl and NET-SNMP, and it expects to find both in the /usr/local/bin directory. For more information on Perl or NET-SNMP, please see Appendix A.

Before using the script, you need to set the SNMP read-only community string, which is contained in the variable $snmpro:

Freebsd% ./arpt.pl toronto
Address MAC Interface 
172.22.1.1 00-01-96-70-b7-81 FastEthernet0/1 
172.22.1.2 00-01-96-70-b7-81 FastEthernet0/1 
172.22.1.3 00-01-96-70-b7-81 FastEthernet0/1 
172.25.1.1 00-10-4b-09-57-00 FastEthernet0/0.1
172.25.1.5 00-01-96-70-b7-80 FastEthernet0/0.1
172.25.1.7 00-00-0c-92-bc-6a FastEthernet0/0.1
172.25.1.254 00-00-0c-07-ac-01 FastEthernet0/0.1
172.16.2.1 00-01-96-70-b7-80 FastEthernet0/0.2
172.16.2.22 00-00-0c-07-ac-00 FastEthernet0/0.2
Freebsd%

The script creates a simple report, including the IP address, MAC address, and interface name of each ARP entry. You can then use a search utility of some kind to locate specific devices by its IP or MAC address. For example, on a Unix server, you could pipe the output to the grep command, as follows:

Freebsd% ./arpt.pl toronto | grep 172.25.1.5
172.25.1.5 00-01-96-70-b7-80 FastEthernet0/0.1
Freebsd%

The ARP tables on large routers can be quite large, which can make locating a single ARP entry difficult. This script allows you to track down a particular device remotely. You could also use the grep utility to find the IP address of a particular known MAC address:

Freebsd% ./arpt.pl toronto | grep 00-10-4b-09-57-15
172.25.1.3 00-10-4b-09-57-15 FastEthernet0/0.1
Freebsd%

This script only queries open standard SNMP MIBS, so you can use it to extract ARP table information from almost any SNMP enabled device, even nonCisco equipment.

See Also

Appendix A