Re: scan for machines in the subnet

From: Chris Cox <notccox@xxxxxxxxxxxxxx>
Date: Sun, 04 Mar 2007 15:02:16 -0600

Moe Trin wrote:

On Sun, 04 Mar 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <12uli9bo4mqcbaf@xxxxxxxxxxxxxxxxxx>, Chris Cox wrote:

peter pilsl wrote:

I wonder what is the easiest and fastest way to detect all machines in
the current subnet from one of the machines and get their MAC-adresses.

My first approach would be to ping each possible adress and then read
the arp-table for valid mac's.

Trying to do this from a client on the network is an error prone way.
You will never be guaranteed to find all of the hosts.

The only hosts that won't be found are those that have disabled ARP on
their network setup, OR are using off-network IP addresses that you did
not try to talk to. ARP is lower in the stack than firewall code, and
even if a host is dropping all TCP, UDP, or ICMP (etc.) packets, it will
still respond to an ARP packet addressed to it's IP address.

A switch on a meshed network can reply to ARP with it's own MAC.

A "better" way is to query the switch itself. Many switches
will have the ability to get this information from the MIB via
SNMP. That's the "better" way.

No disagreement - and if your switch won't provide that information, then
querying your router's ARP cache is probably second best - indeed any
host that the remote is likely to talk to. We were sweeping the ARP cache
of the routers and the servers on each segment at regular intervals 24/7
before we got our first Etherswitch in 1995, looking for rogue addresses.

Old guy

Follow-Ups:
- Re: scan for machines in the subnet
  - From: David Brown

References:
- scan for machines in the subnet
  - From: peter pilsl
- Re: scan for machines in the subnet
  - From: Chris Cox
- Re: scan for machines in the subnet
  - From: Moe Trin

Prev by Date: tcpdump show requested web addresses
Next by Date: Re: Problem connecting RH9 to Linksys WRT54GR router.
Previous by thread: Re: scan for machines in the subnet
Next by thread: Re: scan for machines in the subnet
Index(es):
- Date
- Thread

Relevant Pages

Re: switch jamming
... There are two widely-understood ways to make a switch send traffic your ... The other is to poison the ARP cache of one or more ... that people are referring to the MAC address cache rollover attack ...
(Vuln-Dev)
Re: mac to ip address tools
... networks (when deploying an IDS, to determine which hosts are up, what ... you can "force" traffic by doing a ping sweep of the network so ... you get both the ARP replies ... Cross site scripting and other web attacks before hackers do! ...
(Pen-Test)
ARP Complaints
... Downsizing my DMZ hosts onto one system and am having arp complaints ... But nothing would route to them until I made them singleton networks ... le0 by EtherAdrsA qe0 ...
(comp.unix.bsd.openbsd.misc)
Re: scan for machines in the subnet
... You will never be guaranteed to find all of the hosts. ... The only hosts that won't be found are those that have disabled ARP on ... We were sweeping the ARP cache ... before we got our first Etherswitch in 1995, ...
(comp.os.linux.networking)
Re: ARP chatter
... ARP is used to translate between the IP ... an ARP request - a broadcast asking what's the hardware address of IP ... That hosts responds and says "I'm here". ... Many worms try to spread to every host address. ...
(comp.security.firewalls)