[QCLUG] Linux Tool of the Week - netdiscover
Chris Cooper
QCAdmin@gmail.com
Tue, 25 Nov 2008 15:32:33 -0600
Doing a little reading on nmap -PR. It requires you to have an IP
address, and only works on hosts in the local subnet of your
interface.
netdiscover will scan any range you want, regardless of what your ip
address is. (I ususally have mine set to 0.0.0.0 when I start
scanning). I have used this multiple times to find an available IP on
a network without DHCP.
On Tue, Nov 25, 2008 at 3:17 PM, Arron Lorenz <arronlorenz@gmail.com> wrote:
> It would be interesting to the see the comparison. I do enjoy nmap but that
> is just because it's good for everything! I also know that netdiscover has
> come in really handy a few times. Mostly because it's quick and easy.
>
> On Tue, Nov 25, 2008 at 3:01 PM, David Hinkle <hinkle@cipafilter.com> wrote:
>>
>> You can bring whatever you want, just let me in on your plans before you
>> execute them.
>>
>> David
>>
>> -----Original Message-----
>> From: qclug-bounces@qclug.org on behalf of Arron Lorenz
>> Sent: Tue 11/25/2008 2:59 PM
>> To: qclug@qclug.org
>> Subject: Re: [QCLUG] Linux Tool of the Week - netdiscover
>>
>> Well yes but that doesn't mean we can bring a switch and two laptops? Or
>> does it?
>>
>> On Tue, Nov 25, 2008 at 2:49 PM, David Hinkle <hinkle@cipafilter.com>
>> wrote:
>>
>> > That's ok, you can scan us. I'll be on hand to make sure you don't
>> > wreak
>> > any havok. I can take a few minutes to talk about nmap as well.
>> >
>> > David
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: qclug-bounces@qclug.org on behalf of Chris Cooper
>> > Sent: Tue 11/25/2008 2:46 PM
>> > To: qclug@qclug.org
>> > Subject: Re: [QCLUG] Linux Tool of the Week - netdiscover
>> >
>> > Out of respect for our host's network, I will politely decline.
>> > Network scans on private networks and all....
>> >
>> > On Tue, Nov 25, 2008 at 2:16 PM, Arron Lorenz <arronlorenz@gmail.com>
>> > wrote:
>> > > Chris,
>> > > will you been attending the next meeting a CIPA? Maybe you could do a
>> > short
>> > > presentation about netdiscover. I would be interested in seeing it in
>> > > operation.
>> > > Arron
>> > >
>> > > On Mon, Nov 24, 2008 at 7:41 PM, Dave Bergert <dbergert@gmail.com>
>> > wrote:
>> > >>
>> > >> Cool:
>> > >>
>> > >> I was not famialar with netdiscover: You can also do an apr scan
>> > >> with
>> > >> nmap: http://nmap.org/
>> > >>
>> > >> nmap -PR <ip addr/range>
>> > >>
>> > >> but it looks like netdiscover gives a little more detail on NIC
>> > >> type/etc
>> > >>
>> > >> I've also used arpwatch: ( http://en.wikipedia.org/wiki/Arpwatch )
>> > >> in
>> > the
>> > >> past to detect when a new device is plugged into the LAN, it can even
>> > email
>> > >> an alert. - here is a simple how-to
>> > >> http://24h.atspace.com/it/security/arpwatch.htm
>> > >>
>> > >>
>> > >> DB
>> > >>
>> > >>
>> > >> On Sun, Nov 23, 2008 at 5:14 PM, Chris Cooper <QCAdmin@gmail.com>
>> > wrote:
>> > >>>
>> > >>> netdiscover - ARP based network resolution tool.Protocol
>> > >>> http://nixgeneration.com/~jaime/netdiscover/
>> > >>>
>> > >>> This week's highlight I found just over a year ago, and it quickly
>> > >>> became one of my favorites. Netdiscover is a network scanner that
>> > >>> finds all of the IP's in use on the local segment. Because it uses
>> > >>> ARP, it is only able to scan the local ethernet segment, however,
>> > >>> using arp gives it a couple advantages over traditional tools like
>> > >>> nmap.
>> > >>>
>> > >>> The first advantage is that it can scan for firewalled devices that
>> > >>> don't respond to ping requests. Even if a machine is set to drop
>> > >>> all
>> > >>> TCP/IP traffic, it will still respond to basic ARP requests. This
>> > >>> is
>> > >>> a requirement of the IPv4 specification to try to prevent IP address
>> > >>> conflicts. For those that want to know a little more about ARP,
>> > >>> Wikipedia has an excellent article here:
>> > >>> http://en.wikipedia.org/wiki/Address_Resolution_Protocol
>> > >>>
>> > >>> The second advantage netdiscover has is that it does not need an
>> > >>> address within the subnet it is trying to scan. It can quickly skip
>> > >>> from subnet to subnet, scanning everything in between. This is
>> > >>> useful
>> > >>> when you are looking for a device with an unknown address. Take,
>> > >>> for
>> > >>> example, a wireless access point. Since the AP acts as a bridge, it
>> > >>> doesn't need an IP address on the network to do its job, but the IP
>> > >>> is
>> > >>> required to reconfigure the device. Netdiscover is an easy way to
>> > >>> track down the IP of the switch, even if it is outside the local
>> > >>> subnet.
>> > >>>
>> > >>> Finally, it can show you if any IP address conflicts exist. In it's
>> > >>> output, it provides the MAC address from each response and
>> > >>> cross-references it with the OUI list. This gives you a fair idea
>> > >>> of
>> > >>> what type of device you are looking for.
>> > >>>
>> > >>> A final word of note, I have noticed that at full speed, netdiscover
>> > >>> tends to occasionally miss devices, especially on large networks or
>> > >>> networks with wireless segments. When scanning multiple subnets, i
>> > >>> will typically leave the speed at default, but once I am targeting a
>> > >>> specific subnet, I will typically use -s 10 or -s 50 to increase the
>> > >>> wait between requests to 10-50ms (the default is 1ms).
>> > >>> For example: "netdiscover -i eth0 -r 192.168.1.0/24 -s 50"
>> > >>>
>> > >>> -Cooper
>> > >>> _______________________________________________
>> > >>> QCLUG mailing list
>> > >>> QCLUG@qclug.org
>> > >>> http://qclug.org/mailman/listinfo/qclug
>> > >>
>> > >
>> > >
>> > >
>> > > --
>> > > From:
>> > > Arron James Lorenz
>> > > Reel to Reel Drive In
>> > > http://www.DavenportDriveIn.com
>> > > 563-579-7046
>> > >
>> > _______________________________________________
>> > QCLUG mailing list
>> > QCLUG@qclug.org
>> > http://qclug.org/mailman/listinfo/qclug
>> >
>> >
>>
>>
>> --
>> From:
>> Arron James Lorenz
>> Reel to Reel Drive In
>> http://www.DavenportDriveIn.com
>> 563-579-7046
>>
>
>
>
> --
> From:
> Arron James Lorenz
> Reel to Reel Drive In
> http://www.DavenportDriveIn.com
> 563-579-7046
>