I guess what I'm asking for is, does a solution exist where a single host can cause an unknown NIC MAC Address to respond so as to populate the switch MAC Table? Or another solution that could get this data?
Let's step back for a moment and think about how switches work.
If a switch doesn't know the destination mac-address in a frame, the switch floods the frame with the unknown destination mac out all ports in that vlan; thus you do not need the switch to know the mac-address of the hosts while the host is powered down.
However, you do need to know the mac-address of all PCs in question; that mac-address is embedded in the WOL frame. Quite honestly, knowing the list of macs is pretty simple... just poll your edge router for arp entries for the Vlan(s) in question every five minutes, and store the results somewhere.
Now when you're ready to wake computers up, build a unique list of macs from your archived ARP tables and send a WOL frame to each unique mac; and if you send a WOL frame to a printer that's already up, who cares?
FYI, I built a python WOL packet crafter if it's at all helpful... you'll need linux or another *nix to use it though. Run in cygwin or a VM if you like...
If you really hate the idea of scraping and archiving your ARP table, another option is HP Port-Security with Static mac-learning... that makes the switch remember the mac it learned on a port and then it saves the mac in the running / startup configurations.
![HP Port-security Static](https://i.stack.imgur.com/ZQsVF.png)
You have used the following as your packet filter: host aa:bb:cc:11:22:33
As it stands, this is looking for an IP or hostname but you are giving it a MAC address.
To use a MAC address, you need to include the ether
packet filter primitive.
In your case, the following should work:
sudo tcpdump ether host aa:bb:cc:11:22:33
Or, if it needs you to specify the interface, then it would be something like:
sudo tcpdump -i eth0 ether host aa:bb:cc:11:22:33
Best Answer
Don't use mac-addresses to determine endpoint operating systems; mac-addresses are easily spoofed, and vendors can change their wifi PHY ASIC supplier on a whim
Use something like DHCP Fingerprinting, or better still, Cisco ISE (which does DHCP, HTTP, RADIUS EAP supplicant, and
nmap
fingerprinting, all in one appliance)