Re: scan for machines in the subnet

On Mon, 05 Mar 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <45ebf363$0$24618$8404b019@xxxxxxxxxxxxxxx>, David Brown wrote:

Chris Cox wrote:

Moe Trin wrote:

The only hosts that won't be found are those that have disabled ARP on
their network setup, OR are using off-network IP addresses that you did
not try to talk to. ARP is lower in the stack than firewall code, and
even if a host is dropping all TCP, UDP, or ICMP (etc.) packets, it will
still respond to an ARP packet addressed to it's IP address.

A switch on a meshed network can reply to ARP with it's own MAC.

I've just run Patrick's nmap scan on our office network, and I don't see
any indication that our switches are modifying the MACs, based on nmap's
partial identification of the companies owning the MAC addresses found.

Note he wrote "can", and not "will". Generally speaking, those switches
that do substitute the MAC will have intelligence and will provide access
(possibly through SNMP - possibly via other protocols) to their internal
table of "who is on which port".

I would have thought that a switch would not modify the MAC - after all,
it would mess up things like statically assigned IP addresses issued by
a DHCP server.

True - but if you're going to statically assign IP addresses, why not do
so directly? It usually takes less time to do so.

Old guy