Re: scan for machines in the subnet
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Fri, 02 Mar 2007 13:55:37 -0600
On Thu, 01 Mar 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <d6514$45e70589$557d99cd$9021@xxxxxxxxxxxxx>, peter pilsl wrote:
I wonder what is the easiest and fastest way to detect all machines in
the current subnet from one of the machines and get their MAC-adresses.
Ask the network administrator? Or is that you? ;-)
My first approach would be to ping each possible adress and then read
the arp-table for valid mac's.
Assuming there isn't a router between you and the net you are looking at
and if there is one it's not blocking pings, this it probably the easiest
way.
But assuming my limited knowledge of arp and other protocol-layers I
guess there are much better ways.
Well... if you are on a switched (not hub or coax) network, and the switch
has intelligence (and you have access to that switch), a faster way would
be to look at the management tables in the switch - much the same as an
ARP cache, except that the switch should know where everyone is (which
implies it knows MAC and IP address).
There may be other systems that ignore the recommendations in RFC1122
section 2.3.2 (which recommends a cache timeout of one minute) and have
longer timeouts - one example would be a Cisco router. Depending on how
they are configured, they _may_ have an ARP cache timeout up to an hour
or two - making it much more likely that they have the data in cache.
I tried a broadcast-ping on the subnet (ping -b 10.21.1.0) but to my
suprise it did not make all machines respond.
Two reasons - some O/S ignore broadcast pings, to discourage the practice
(which can be a denial of service mechanism). Also, many systems can be
configured to ignore pings - broadcast _or_ unicast.
The more sophisticated question (and not acutally part of my task to
keep tracks and logs of all machines in a WLAN-network) is if there is
a way to detect machines that does not respond to ICMP-requests like
ping.
[compton ~]$ whatis arping arpwatch hping2 nmap
arping (8) - sends arp and/or ip pings to a given host
arpwatch (8) - keep track of ethernet/ip address pairings
hping2 (8) - send (almost) arbitrary TCP/IP packets to network hosts
nmap (1) - Network exploration tool and security scanner
[compton ~]$
You have to be in "the right place" on the network topology, such as a
switch, or the routers, or some critical server that everyone is going to
use, but an ARP watching tool is probably the best bet. Reason is that
with _rare_ exceptions ('man ifconfig' - look at the '-arp' option, or
'man ip' and look for the string 'arp'), ARP is needed to establish a
communication on Ethernet - the packets are moved using the MAC address,
not the IP. Thus, even if a remote host has a firewall that is DROPping
all traffic (UDP, ICMP, TCP, or any of the 130+ other protocols that
can be found in an IP packet), it will still respond to an ARP request.
Doesn't matter how you cause the packet to be generated (ping, traceroute,
telnet, or what-ever) - you need only cause your kernel to try to send
something to that host, and before that can happen, your kernel must
have the MAC/IP relationship data in it's ARP cache.
Note - this will not find unconfigured or misconfigured systems. I could
set my Network Analyzer with an address on a "different" network, and
(unless I do something st00pid) you wouldn't find it unless you knew the
right IP address to ARP for.
One could use tools like nmap on each possible adress and every port,
but this would take a lot of time.
Each address, yes - but ports (and IP protocols) are irrelevant.
Maybe there is a protokoll/layer (like arp?) that makes every networkcard
respond to certain requests.
ARP - unless you've disabled it on your system because you've hard-coded
the ARP cache.
Any help is greatly appretiated. And excuse for possible stupid
assumptions in my posting. I usually think I know a lot about networks
cause I play with servers every day, but when it comes to questions that
exceeed the terms "ip-adress" and "port" I realize pretty soon that in
fact I know nothing.
Do you have access to a technical library - perhaps a college/university
book store? The "standard" reference book is W. Richard Stevens "TCP/IP
Illustrated, Volume 1 - the protocols" from Addison-Wesley (1996, ISBN
0-201-63346-9, 576 pgs). You can also learn by using a packet sniffer,
but where you locate this depends on the layout of your network. The
modern Ethernet uses switches rather than hubs or coax, and these only
send broadcast packets (such as ARP) to all hosts, while unicast packets
only go to the destination computer - not everyone.
Old guy
.
- References:
- scan for machines in the subnet
- From: peter pilsl
- scan for machines in the subnet
- Prev by Date: Re: About Networking
- Next by Date: Re: iptables, DNAT, and SMTP
- Previous by thread: scan for machines in the subnet
- Next by thread: Re: scan for machines in the subnet
- Index(es):
Relevant Pages
|
