[QCLUG] Linux Tool of the Week - netdiscover

Chris Cooper QCAdmin@gmail.com
Sun, 23 Nov 2008 17:14:00 -0600 

netdiscover - ARP based network resolution tool.Protocol
http://nixgeneration.com/~jaime/netdiscover/

This week's highlight I found just over a year ago, and it quickly
became one of my favorites.  Netdiscover is a network scanner that
finds all of the IP's in use on the local segment.  Because it uses
ARP, it is only able to scan the local ethernet segment, however,
using arp gives it a couple advantages over traditional tools like
nmap.

The first advantage is that it can scan for firewalled devices that
don't respond to ping requests.  Even if a machine is set to drop all
TCP/IP traffic, it will still respond to basic ARP requests.  This is
a requirement of the IPv4 specification to try to prevent IP address
conflicts.  For those that want to know a little more about ARP,
Wikipedia has an excellent article here:
http://en.wikipedia.org/wiki/Address_Resolution_Protocol

The second advantage netdiscover has is that it does not need an
address within the subnet it is trying to scan.  It can quickly skip
from subnet to subnet, scanning everything in between.  This is useful
when you are looking for a device with an unknown address.  Take, for
example, a wireless access point.  Since the AP acts as a bridge, it
doesn't need an IP address on the network to do its job, but the IP is
required to reconfigure the device.  Netdiscover is an easy way to
track down the IP of the switch, even if it is outside the local
subnet.

Finally, it can show you if any IP address conflicts exist.  In it's
output, it provides the MAC address from each response and
cross-references it with the OUI list.  This gives you a fair idea of
what type of device you are looking for.

A final word of note, I have noticed that at full speed, netdiscover
tends to occasionally miss devices, especially on large networks or
networks with wireless segments.  When scanning multiple subnets, i
will typically leave the speed at default, but once I am targeting a
specific subnet, I will typically use -s 10 or -s 50 to increase the
wait between requests to 10-50ms (the default is 1ms).
For example: "netdiscover -i eth0 -r 192.168.1.0/24 -s 50"

-Cooper