From owner-freebsd-questions@FreeBSD.ORG Tue Mar 24 02:41:49 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0CC1106566B for ; Tue, 24 Mar 2009 02:41:49 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 624BB8FC15 for ; Tue, 24 Mar 2009 02:41:49 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: (qmail 55174 invoked by uid 89); 24 Mar 2009 02:47:14 -0000 Received: from unknown (HELO ?192.168.1.114?) (steve@ibctech.ca@::ffff:208.70.104.100) by pearl.ibctech.ca with ESMTPA; 24 Mar 2009 02:47:14 -0000 Message-ID: <49C8486C.7020300@ibctech.ca> Date: Mon, 23 Mar 2009 22:41:48 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: John Almberg References: In-Reply-To: X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: utility that scans lan for client? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 02:41:49 -0000 John Almberg wrote: > I've tried googling for this, but I guess I don't know the name of a > utility such as this... > > What I'm looking for is a utility that can scan a LAN for attached > clients... i.e., computers that are attached to the LAN. > > I have one box (an appliance that I have no access to), that is on the > LAN but I don't know what IP address it's using. I'd like to complete my > network map, and that is the one empty box on my chart. > > Yes, I am obsessive :-) ...and it is ok to be such. I suspect that you don't have a switch that can port 'mirror' or 'span'. If you do, let us know. Otherwise, if you *really* want to find out what is on your switched Ethernet network, and nmap/arp etc. isn't enough, then I'd recommend an application called 'ettercap'. It runs on the CLI, and a colleague also has a nice GUI for it (under Linux) as well. This will allow you to infiltrate the network at Layer-2 by arp poisoning all connected devices, and intercepting all traffic. Essentially, you perform a MitM, and you become the host (or in a small environment the default gw) that the device is trying to talk to. This way, you can find out not only what the host is, but what it is saying. Please understand that this approach has significant side effects. You can do extensive harm to your local network by using this approach, so read up on it, and be careful. Know what you are doing, and know the ramifications of simply disconnecting yourself from the network prior to stopping the procedure. Not only that, but if you don't own control of the switched environment, this is a very good way to get yourself blocked completely from it. This tactic, and port mirror/span/monitor are the easiest ways to know what is really going on with regards to the wire (if you don't have ACL's and other mitigation/protection strategies already in place). Steve