Re: scan for machines in the subnet

From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
Date: Mon, 05 Mar 2007 13:57:16 -0600

On Mon, 05 Mar 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <45ebf363$0$24618$8404b019@xxxxxxxxxxxxxxx>, David Brown wrote:

Chris Cox wrote:

Moe Trin wrote:

The only hosts that won't be found are those that have disabled ARP on
their network setup, OR are using off-network IP addresses that you did
not try to talk to. ARP is lower in the stack than firewall code, and
even if a host is dropping all TCP, UDP, or ICMP (etc.) packets, it will
still respond to an ARP packet addressed to it's IP address.

A switch on a meshed network can reply to ARP with it's own MAC.

I've just run Patrick's nmap scan on our office network, and I don't see
any indication that our switches are modifying the MACs, based on nmap's
partial identification of the companies owning the MAC addresses found.

Note he wrote "can", and not "will". Generally speaking, those switches
that do substitute the MAC will have intelligence and will provide access
(possibly through SNMP - possibly via other protocols) to their internal
table of "who is on which port".

I would have thought that a switch would not modify the MAC - after all,
it would mess up things like statically assigned IP addresses issued by
a DHCP server.

True - but if you're going to statically assign IP addresses, why not do
so directly? It usually takes less time to do so.

Old guy

.

Follow-Ups:
- Re: scan for machines in the subnet
  - From: David Brown

References:
- scan for machines in the subnet
  - From: peter pilsl
- Re: scan for machines in the subnet
  - From: Chris Cox
- Re: scan for machines in the subnet
  - From: Moe Trin
- Re: scan for machines in the subnet
  - From: Chris Cox
- Re: scan for machines in the subnet
  - From: David Brown

Prev by Date: Re: "transmit timed out" from kernel 2.6.19 on?
Next by Date: Re: setup eth0 in TurboLinux
Previous by thread: Re: scan for machines in the subnet
Next by thread: Re: scan for machines in the subnet
Index(es):
- Date
- Thread

Relevant Pages

RE: gratuitous arp and bad mac
... Are you implementing any Layer 2 Switch Fault Tolerance? ... public network only but also NOT recommened in a cluster. ... > I looked at the arp table and found that the mac address for ... > sql-a was now matching the mac for node2. ...
(microsoft.public.windows.server.clustering)
Re: Nmap questions concering my router
... >> configure a free IP address in the network. ... ARP is a stateless protocol. ... ARP REPLY packets to any host or switch, who should believe, that an IP ... address is now attached to another MAC address, see RFC 826 / STD 0037. ...
(comp.security.firewalls)
Re: MAC address spoofing - conflict?
... That being the case I would think that all network cards on that collision domain would get the packet. ... ARP broadcasts and the question is what will happen. ... ARP asks for an _IP_ address, not a MAC one. ... Cenzic Hailstorm finds vulnerabilities fast. ...
(Pen-Test)
Re: Media Sharing no longer working with gigabit switch?
... The switch is strictly a passive device, ... Other than that - it's worth testing the network properties of each PC ... Did you use MAC Clone feature or re-assign the ... and other programs that need ports opened to work ...
(microsoft.public.windowsmedia.player)
RE: ARP Spoof Question
... Hardware MAC addresses are supposed to be globally unique. ... If you have duplicate MAC addresses on a shared-media network, ... > spoofed ARP packets to receive packets but have been unable to locate ... > my switch table. ...
(Security-Basics)