[QCLUG] Linux Tool of the Week - netdiscover
David Hinkle
hinkle@cipafilter.com
Tue, 25 Nov 2008 15:45:02 -0600
This is a multi-part message in MIME format.
---------------------- multipart/alternative attachment
Very sneaky. Remind me to make sure you guys are patched OUTSIDE the =
firewall. :)
David
-----Original Message-----
From: qclug-bounces@qclug.org on behalf of Chris Cooper
Sent: Tue 11/25/2008 3:32 PM
To: qclug@qclug.org
Subject: Re: [QCLUG] Linux Tool of the Week - netdiscover
=20
Doing a little reading on nmap -PR. It requires you to have an IP
address, and only works on hosts in the local subnet of your
interface.
netdiscover will scan any range you want, regardless of what your ip
address is. (I ususally have mine set to 0.0.0.0 when I start
scanning). I have used this multiple times to find an available IP on
a network without DHCP.
On Tue, Nov 25, 2008 at 3:17 PM, Arron Lorenz <arronlorenz@gmail.com> =
wrote:
> It would be interesting to the see the comparison. I do enjoy nmap but =
that
> is just because it's good for everything! I also know that netdiscover =
has
> come in really handy a few times. Mostly because it's quick and easy.
>
> On Tue, Nov 25, 2008 at 3:01 PM, David Hinkle <hinkle@cipafilter.com> =
wrote:
>>
>> You can bring whatever you want, just let me in on your plans before =
you
>> execute them.
>>
>> David
>>
>> -----Original Message-----
>> From: qclug-bounces@qclug.org on behalf of Arron Lorenz
>> Sent: Tue 11/25/2008 2:59 PM
>> To: qclug@qclug.org
>> Subject: Re: [QCLUG] Linux Tool of the Week - netdiscover
>>
>> Well yes but that doesn't mean we can bring a switch and two laptops? =
Or
>> does it?
>>
>> On Tue, Nov 25, 2008 at 2:49 PM, David Hinkle <hinkle@cipafilter.com>
>> wrote:
>>
>> > That's ok, you can scan us. I'll be on hand to make sure you =
don't
>> > wreak
>> > any havok. I can take a few minutes to talk about nmap as well.
>> >
>> > David
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: qclug-bounces@qclug.org on behalf of Chris Cooper
>> > Sent: Tue 11/25/2008 2:46 PM
>> > To: qclug@qclug.org
>> > Subject: Re: [QCLUG] Linux Tool of the Week - netdiscover
>> >
>> > Out of respect for our host's network, I will politely decline.
>> > Network scans on private networks and all....
>> >
>> > On Tue, Nov 25, 2008 at 2:16 PM, Arron Lorenz =
<arronlorenz@gmail.com>
>> > wrote:
>> > > Chris,
>> > > will you been attending the next meeting a CIPA? Maybe you could =
do a
>> > short
>> > > presentation about netdiscover. I would be interested in seeing =
it in
>> > > operation.
>> > > Arron
>> > >
>> > > On Mon, Nov 24, 2008 at 7:41 PM, Dave Bergert =
<dbergert@gmail.com>
>> > wrote:
>> > >>
>> > >> Cool:
>> > >>
>> > >> I was not famialar with netdiscover: You can also do an apr =
scan
>> > >> with
>> > >> nmap: http://nmap.org/
>> > >>
>> > >> nmap -PR <ip addr/range>
>> > >>
>> > >> but it looks like netdiscover gives a little more detail on NIC
>> > >> type/etc
>> > >>
>> > >> I've also used arpwatch: ( http://en.wikipedia.org/wiki/Arpwatch =
)
>> > >> in
>> > the
>> > >> past to detect when a new device is plugged into the LAN, it can =
even
>> > email
>> > >> an alert. - here is a simple how-to
>> > >> http://24h.atspace.com/it/security/arpwatch.htm
>> > >>
>> > >>
>> > >> DB
>> > >>
>> > >>
>> > >> On Sun, Nov 23, 2008 at 5:14 PM, Chris Cooper =
<QCAdmin@gmail.com>
>> > wrote:
>> > >>>
>> > >>> netdiscover - ARP based network resolution tool.Protocol
>> > >>> http://nixgeneration.com/~jaime/netdiscover/
>> > >>>
>> > >>> This week's highlight I found just over a year ago, and it =
quickly
>> > >>> became one of my favorites. Netdiscover is a network scanner =
that
>> > >>> finds all of the IP's in use on the local segment. Because it =
uses
>> > >>> ARP, it is only able to scan the local ethernet segment, =
however,
>> > >>> using arp gives it a couple advantages over traditional tools =
like
>> > >>> nmap.
>> > >>>
>> > >>> The first advantage is that it can scan for firewalled devices =
that
>> > >>> don't respond to ping requests. Even if a machine is set to =
drop
>> > >>> all
>> > >>> TCP/IP traffic, it will still respond to basic ARP requests. =
This
>> > >>> is
>> > >>> a requirement of the IPv4 specification to try to prevent IP =
address
>> > >>> conflicts. For those that want to know a little more about =
ARP,
>> > >>> Wikipedia has an excellent article here:
>> > >>> http://en.wikipedia.org/wiki/Address_Resolution_Protocol
>> > >>>
>> > >>> The second advantage netdiscover has is that it does not need =
an
>> > >>> address within the subnet it is trying to scan. It can quickly =
skip
>> > >>> from subnet to subnet, scanning everything in between. This is
>> > >>> useful
>> > >>> when you are looking for a device with an unknown address. =
Take,
>> > >>> for
>> > >>> example, a wireless access point. Since the AP acts as a =
bridge, it
>> > >>> doesn't need an IP address on the network to do its job, but =
the IP
>> > >>> is
>> > >>> required to reconfigure the device. Netdiscover is an easy way =
to
>> > >>> track down the IP of the switch, even if it is outside the =
local
>> > >>> subnet.
>> > >>>
>> > >>> Finally, it can show you if any IP address conflicts exist. In =
it's
>> > >>> output, it provides the MAC address from each response and
>> > >>> cross-references it with the OUI list. This gives you a fair =
idea
>> > >>> of
>> > >>> what type of device you are looking for.
>> > >>>
>> > >>> A final word of note, I have noticed that at full speed, =
netdiscover
>> > >>> tends to occasionally miss devices, especially on large =
networks or
>> > >>> networks with wireless segments. When scanning multiple =
subnets, i
>> > >>> will typically leave the speed at default, but once I am =
targeting a
>> > >>> specific subnet, I will typically use -s 10 or -s 50 to =
increase the
>> > >>> wait between requests to 10-50ms (the default is 1ms).
>> > >>> For example: "netdiscover -i eth0 -r 192.168.1.0/24 -s 50"
>> > >>>
>> > >>> -Cooper
>> > >>> _______________________________________________
>> > >>> QCLUG mailing list
>> > >>> QCLUG@qclug.org
>> > >>> http://qclug.org/mailman/listinfo/qclug
>> > >>
>> > >
>> > >
>> > >
>> > > --
>> > > From:
>> > > Arron James Lorenz
>> > > Reel to Reel Drive In
>> > > http://www.DavenportDriveIn.com
>> > > 563-579-7046
>> > >
>> > _______________________________________________
>> > QCLUG mailing list
>> > QCLUG@qclug.org
>> > http://qclug.org/mailman/listinfo/qclug
>> >
>> >
>>
>>
>> --
>> From:
>> Arron James Lorenz
>> Reel to Reel Drive In
>> http://www.DavenportDriveIn.com
>> 563-579-7046
>>
>
>
>
> --
> From:
> Arron James Lorenz
> Reel to Reel Drive In
> http://www.DavenportDriveIn.com
> 563-579-7046
>
_______________________________________________
QCLUG mailing list
QCLUG@qclug.org
http://qclug.org/mailman/listinfo/qclug
---------------------- multipart/alternative attachment
An HTML attachment was scrubbed...
URL: http://qclug.org/pipermail/qclug/attachments/4974764a/attachment.htm
---------------------- multipart/alternative attachment--