[QCLUG] Linux Tool of the Week - netdiscover
David Hinkle
hinkle@cipafilter.com
Tue, 25 Nov 2008 14:49:42 -0600
This is a multi-part message in MIME format.
---------------------- multipart/alternative attachment
That's ok, you can scan us. I'll be on hand to make sure you don't =
wreak any havok. I can take a few minutes to talk about nmap as well.
David
-----Original Message-----
From: qclug-bounces@qclug.org on behalf of Chris Cooper
Sent: Tue 11/25/2008 2:46 PM
To: qclug@qclug.org
Subject: Re: [QCLUG] Linux Tool of the Week - netdiscover
=20
Out of respect for our host's network, I will politely decline.
Network scans on private networks and all....
On Tue, Nov 25, 2008 at 2:16 PM, Arron Lorenz <arronlorenz@gmail.com> =
wrote:
> Chris,
> will you been attending the next meeting a CIPA? Maybe you could do a =
short
> presentation about netdiscover. I would be interested in seeing it in
> operation.
> Arron
>
> On Mon, Nov 24, 2008 at 7:41 PM, Dave Bergert <dbergert@gmail.com> =
wrote:
>>
>> Cool:
>>
>> I was not famialar with netdiscover: You can also do an apr scan =
with
>> nmap: http://nmap.org/
>>
>> nmap -PR <ip addr/range>
>>
>> but it looks like netdiscover gives a little more detail on NIC =
type/etc
>>
>> I've also used arpwatch: ( http://en.wikipedia.org/wiki/Arpwatch ) =
in the
>> past to detect when a new device is plugged into the LAN, it can even =
email
>> an alert. - here is a simple how-to
>> http://24h.atspace.com/it/security/arpwatch.htm
>>
>>
>> DB
>>
>>
>> On Sun, Nov 23, 2008 at 5:14 PM, Chris Cooper <QCAdmin@gmail.com> =
wrote:
>>>
>>> netdiscover - ARP based network resolution tool.Protocol
>>> http://nixgeneration.com/~jaime/netdiscover/
>>>
>>> This week's highlight I found just over a year ago, and it quickly
>>> became one of my favorites. Netdiscover is a network scanner that
>>> finds all of the IP's in use on the local segment. Because it uses
>>> ARP, it is only able to scan the local ethernet segment, however,
>>> using arp gives it a couple advantages over traditional tools like
>>> nmap.
>>>
>>> The first advantage is that it can scan for firewalled devices that
>>> don't respond to ping requests. Even if a machine is set to drop =
all
>>> TCP/IP traffic, it will still respond to basic ARP requests. This =
is
>>> a requirement of the IPv4 specification to try to prevent IP address
>>> conflicts. For those that want to know a little more about ARP,
>>> Wikipedia has an excellent article here:
>>> http://en.wikipedia.org/wiki/Address_Resolution_Protocol
>>>
>>> The second advantage netdiscover has is that it does not need an
>>> address within the subnet it is trying to scan. It can quickly skip
>>> from subnet to subnet, scanning everything in between. This is =
useful
>>> when you are looking for a device with an unknown address. Take, =
for
>>> example, a wireless access point. Since the AP acts as a bridge, it
>>> doesn't need an IP address on the network to do its job, but the IP =
is
>>> required to reconfigure the device. Netdiscover is an easy way to
>>> track down the IP of the switch, even if it is outside the local
>>> subnet.
>>>
>>> Finally, it can show you if any IP address conflicts exist. In it's
>>> output, it provides the MAC address from each response and
>>> cross-references it with the OUI list. This gives you a fair idea =
of
>>> what type of device you are looking for.
>>>
>>> A final word of note, I have noticed that at full speed, netdiscover
>>> tends to occasionally miss devices, especially on large networks or
>>> networks with wireless segments. When scanning multiple subnets, i
>>> will typically leave the speed at default, but once I am targeting a
>>> specific subnet, I will typically use -s 10 or -s 50 to increase the
>>> wait between requests to 10-50ms (the default is 1ms).
>>> For example: "netdiscover -i eth0 -r 192.168.1.0/24 -s 50"
>>>
>>> -Cooper
>>> _______________________________________________
>>> QCLUG mailing list
>>> QCLUG@qclug.org
>>> http://qclug.org/mailman/listinfo/qclug
>>
>
>
>
> --
> From:
> Arron James Lorenz
> Reel to Reel Drive In
> http://www.DavenportDriveIn.com
> 563-579-7046
>
_______________________________________________
QCLUG mailing list
QCLUG@qclug.org
http://qclug.org/mailman/listinfo/qclug
---------------------- multipart/alternative attachment
An HTML attachment was scrubbed...
URL: http://qclug.org/pipermail/qclug/attachments/933ddcc0/attachment.htm
---------------------- multipart/alternative attachment--