Chris,<div>will you been attending the next meeting a CIPA? Maybe you could do a short presentation about netdiscover. I would be interested in seeing it in operation.</div><div><br></div><div>Arron<br><br><div class="gmail_quote">
On Mon, Nov 24, 2008 at 7:41 PM, Dave Bergert <span dir="ltr"><<a href="mailto:dbergert@gmail.com">dbergert@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Cool:<br><br>I was not famialar with netdiscover: You can also do an apr scan with nmap: <a href="http://nmap.org/" target="_blank">http://nmap.org/</a><br> <br>nmap -PR <ip addr/range><br><br>but it looks like netdiscover gives a little more detail on NIC type/etc<br>
<br>I've also used arpwatch: ( <a href="http://en.wikipedia.org/wiki/Arpwatch" target="_blank">http://en.wikipedia.org/wiki/Arpwatch</a> ) in the past to detect when a new device is plugged into the LAN, it can even email an alert. - here is a simple how-to <a href="http://24h.atspace.com/it/security/arpwatch.htm" target="_blank">http://24h.atspace.com/it/security/arpwatch.htm</a><br>
<font color="#888888">
<br><br>DB</font><div><div></div><div class="Wj3C7c"><br><br><br><div class="gmail_quote">On Sun, Nov 23, 2008 at 5:14 PM, Chris Cooper <span dir="ltr"><<a href="mailto:QCAdmin@gmail.com" target="_blank">QCAdmin@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
netdiscover - ARP based network resolution tool.Protocol<br>
<a href="http://nixgeneration.com/%7Ejaime/netdiscover/" target="_blank">http://nixgeneration.com/~jaime/netdiscover/</a><br>
<br>
This week's highlight I found just over a year ago, and it quickly<br>
became one of my favorites. Netdiscover is a network scanner that<br>
finds all of the IP's in use on the local segment. Because it uses<br>
ARP, it is only able to scan the local ethernet segment, however,<br>
using arp gives it a couple advantages over traditional tools like<br>
nmap.<br>
<br>
The first advantage is that it can scan for firewalled devices that<br>
don't respond to ping requests. Even if a machine is set to drop all<br>
TCP/IP traffic, it will still respond to basic ARP requests. This is<br>
a requirement of the IPv4 specification to try to prevent IP address<br>
conflicts. For those that want to know a little more about ARP,<br>
Wikipedia has an excellent article here:<br>
<a href="http://en.wikipedia.org/wiki/Address_Resolution_Protocol" target="_blank">http://en.wikipedia.org/wiki/Address_Resolution_Protocol</a><br>
<br>
The second advantage netdiscover has is that it does not need an<br>
address within the subnet it is trying to scan. It can quickly skip<br>
from subnet to subnet, scanning everything in between. This is useful<br>
when you are looking for a device with an unknown address. Take, for<br>
example, a wireless access point. Since the AP acts as a bridge, it<br>
doesn't need an IP address on the network to do its job, but the IP is<br>
required to reconfigure the device. Netdiscover is an easy way to<br>
track down the IP of the switch, even if it is outside the local<br>
subnet.<br>
<br>
Finally, it can show you if any IP address conflicts exist. In it's<br>
output, it provides the MAC address from each response and<br>
cross-references it with the OUI list. This gives you a fair idea of<br>
what type of device you are looking for.<br>
<br>
A final word of note, I have noticed that at full speed, netdiscover<br>
tends to occasionally miss devices, especially on large networks or<br>
networks with wireless segments. When scanning multiple subnets, i<br>
will typically leave the speed at default, but once I am targeting a<br>
specific subnet, I will typically use -s 10 or -s 50 to increase the<br>
wait between requests to 10-50ms (the default is 1ms).<br>
For example: "netdiscover -i eth0 -r <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> -s 50"<br>
<br>
-Cooper<br>
_______________________________________________<br>
QCLUG mailing list<br>
<a href="mailto:QCLUG@qclug.org" target="_blank">QCLUG@qclug.org</a><br>
<a href="http://qclug.org/mailman/listinfo/qclug" target="_blank">http://qclug.org/mailman/listinfo/qclug</a><br>
</blockquote></div><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>From:<br>Arron James Lorenz<br>Reel to Reel Drive In<br><a href="http://www.DavenportDriveIn.com">http://www.DavenportDriveIn.com</a><br>563-579-7046<br>
</div>