? (10.3.3.10) at 00:E0:29:25:7A:46 [ether] on eth0
? (24.114.X.X) at 00:01:64:A5:F9:00 [ether] on eth1
[download]

my @machines=("host1","host2","host3");
my %macs=();

for my $machine (@machines) {
  my $macraw=`getmac $machine`;
  if ($macraw =~ /(match something)/) {
    $macs{$1}=$machine;   
  }  
}

print "$macs{$_} $_\n" for (keys %macs);
[download]

Transport Address  Transport Name
-----------------  --------------
00-00-00-00-00-00  \Device\NetbiosSmb
00-A0-B0-6C-38-D0  \Device\NetBT_El90x1
[download]

All boxen that implement the TCP/IP protocol must respond. Even windows machines manage it.

You can catch the return packets with Net::Packet (Update: It's NetPacket, not Net::Packet, available from CPAN, runs under windows with the pcap library), if you have root access. I have a little proggie that does this if you are interested. Actually it sits there and silently matches ethernet addresses to IPs, and identifies gateways and routers from that data.

For extra humour during a boring afternoon, ping flood the broadcast address and watch the network admin go into spasms.

____________________
Jeremy
I didn't believe in evil until I dated it.

Or just parse `arp -a`.

Update: The original question seems clearly to be about Windows, which does come with "arp" (I think Win2K was mentioned in the chatterbox). Your mention of "root access" makes me wonder whether Net::Packet will work on Win2K, but I don't find it on CPAN so I didn't go any further trying to check that out.

I didn't say the method that I mentioned was the only way, of course.

Update2: Thanks for the clarifications, jepri. I can still roll code to parse `arp -a` faster than I can download NetPacket and pcap much less install them and get them working (heck, nearly faster than I can find NetPacket given how slow http://search.cpan.org/ is these days). So if all I'm interested in the MAC addresses, I'll stick with arp output unless I've already gotten NetPacket working for other reasons.

But I didn't reply to criticize your suggestion. I just waited a while and noted that no one else had mentioned "arp -a" yet so I thought it should be part of the thread. So I decided to post it in reply a node that mentioned something acurate and your fact about all TCP/IP stacks having to support ARP won. (:

        - tye (but my friends call me "Tye")

That's something to be careful with - anyone who pulled a stunt like that on my network would get the plug pulled on their connection in a heartbeat, and not just because it happens to be the first step of several DoS attacks. It's also not the most reliable method:
• A machine's arp cache is only of finite size, so you can only capture so many addresses
• Since every machine will be answering all at once, there's a very good chance that some of the replies will just get dropped
• Any machines that are behind a router, will simply appear with the routers mac address if the router even passes the packet at all.
The approach of running a prog on each station that reports back the mac to a central server is probably the most reliable and network-friendly way to go.