Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Mar 2009 22:41:48 -0400
From:      Steve Bertrand <steve@ibctech.ca>
To:        John Almberg <jalmberg@identry.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: utility that scans lan for client?
Message-ID:  <49C8486C.7020300@ibctech.ca>
In-Reply-To: <E4A3989A-982F-4B9D-971D-25C49A932EB7@identry.com>
References:  <E4A3989A-982F-4B9D-971D-25C49A932EB7@identry.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
John Almberg wrote:
> I've tried googling for this, but I guess I don't know the name of a
> utility such as this...
> 
> What I'm looking for is a utility that can scan a LAN for attached
> clients... i.e., computers that are attached to the LAN.
> 
> I have one box (an appliance that I have no access to), that is on the
> LAN but I don't know what IP address it's using. I'd like to complete my
> network map, and that is the one empty box on my chart.
> 
> Yes, I am obsessive :-)

...and it is ok to be such.

I suspect that you don't have a switch that can port 'mirror' or 'span'.
If you do, let us know.

Otherwise, if you *really* want to find out what is on your switched
Ethernet network, and nmap/arp etc. isn't enough, then I'd recommend an
application called 'ettercap'. It runs on the CLI, and a colleague also
has a nice GUI for it (under Linux) as well.

This will allow you to infiltrate the network at Layer-2 by arp
poisoning all connected devices, and intercepting all traffic.

Essentially, you perform a MitM, and you become the host (or in a small
environment the default gw) that the device is trying to talk to.

This way, you can find out not only what the host is, but what it is saying.

Please understand that this approach has significant side effects. You
can do extensive harm to your local network by using this approach, so
read up on it, and be careful. Know what you are doing, and know the
ramifications of simply disconnecting yourself from the network prior to
stopping the procedure. Not only that, but if you don't own control of
the switched environment, this is a very good way to get yourself
blocked completely from it.

This tactic, and port mirror/span/monitor are the easiest ways to know
what is really going on with regards to the wire (if you don't have
ACL's and other mitigation/protection strategies already in place).

Steve



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?49C8486C.7020300>