Re: scan for machines in the subnet

Chris Cox wrote:
Moe Trin wrote:
On Sun, 04 Mar 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <12uli9bo4mqcbaf@xxxxxxxxxxxxxxxxxx>, Chris Cox wrote:

peter pilsl wrote:

I wonder what is the easiest and fastest way to detect all machines in
the current subnet from one of the machines and get their MAC-adresses.

My first approach would be to ping each possible adress and then read
the arp-table for valid mac's.
Trying to do this from a client on the network is an error prone way.
You will never be guaranteed to find all of the hosts.
The only hosts that won't be found are those that have disabled ARP on
their network setup, OR are using off-network IP addresses that you did
not try to talk to. ARP is lower in the stack than firewall code, and
even if a host is dropping all TCP, UDP, or ICMP (etc.) packets, it will
still respond to an ARP packet addressed to it's IP address.

A switch on a meshed network can reply to ARP with it's own MAC.


I've just run Patrick's nmap scan on our office network, and I don't see any indication that our switches are modifying the MACs, based on nmap's partial identification of the companies owning the MAC addresses found.

I would have thought that a switch would not modify the MAC - after all, it would mess up things like statically assigned IP addresses issued by a DHCP server.
.