How to find used IP addresses - Networking

This is a discussion on How to find used IP addresses - Networking ; Hi - I inherited a network that's in pretty bad shape: all static IP addresses, an uneven ledger of who is assigned what, swiss cheese address assignment, no MAC address list, and a bunch of host software firewalls which prevent ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: How to find used IP addresses

  1. How to find used IP addresses

    Hi -

    I inherited a network that's in pretty bad shape: all static IP
    addresses, an uneven ledger of who is assigned what, swiss cheese
    address assignment, no MAC address list, and a bunch of host software
    firewalls which prevent pings.

    Can anyone suggest an accurate means of figuring out what IP addresses
    are in use and their corresponding MAC address?

    I'm using tcpdump now to siphon off ARP traffic. That more or less
    gets me active IP addresses. Does this work for all hosts? Any
    ptifalls to this strategy? Most hosts are Windows machines. We have a
    few jetdirect devices.

    How would I get the MAC address after that? I guess I could script
    something using the list generated by tcpdump. Is there a simpler way?

    Any help is appreciated!


  2. Re: How to find used IP addresses

    On 2007-01-04, genkuro@gmail.com wrote:
    > Can anyone suggest an accurate means of figuring out what IP addresses
    > are in use and their corresponding MAC address?


    arp -n
    should display what you want.

    Davide

    --
    "Windows for Dummies" is much more than a book title, it's a Microsoft
    way of life!

  3. Re: How to find used IP addresses

    On Thu, 04 Jan 2007 08:27:55 -0800, genkuro wrote:

    > Hi -
    >
    > I inherited a network that's in pretty bad shape: all static IP
    > addresses, an uneven ledger of who is assigned what, swiss cheese
    > address assignment, no MAC address list, and a bunch of host software
    > firewalls which prevent pings.
    >
    > Can anyone suggest an accurate means of figuring out what IP addresses
    > are in use and their corresponding MAC address?
    >
    > I'm using tcpdump now to siphon off ARP traffic. That more or less
    > gets me active IP addresses. Does this work for all hosts? Any
    > ptifalls to this strategy? Most hosts are Windows machines. We have a
    > few jetdirect devices.
    >
    > How would I get the MAC address after that? I guess I could script
    > something using the list generated by tcpdump. Is there a simpler way?
    >
    > Any help is appreciated!


    Assuming all of the adresses are in a particular range like 192.168.100.x
    then try "ping -b 192.168.100.255" for starters.


  4. Re: How to find used IP addresses

    genkuro@gmail.com wrote:

    > Hi -
    >
    > I inherited a network that's in pretty bad shape: all static IP
    > addresses, an uneven ledger of who is assigned what, swiss cheese
    > address assignment, no MAC address list, and a bunch of host software
    > firewalls which prevent pings.
    >
    > Can anyone suggest an accurate means of figuring out what IP addresses
    > are in use and their corresponding MAC address?
    >
    > I'm using tcpdump now to siphon off ARP traffic. That more or less
    > gets me active IP addresses. Does this work for all hosts? Any
    > ptifalls to this strategy? Most hosts are Windows machines. We have a
    > few jetdirect devices.
    >
    > How would I get the MAC address after that? I guess I could script
    > something using the list generated by tcpdump. Is there a simpler way?
    >
    > Any help is appreciated!


    Let arpwatch run for a few daays. It should mad everything out for you.

    --
    Lasse Jensen [fafler at g mail dot com]
    Linux, the choice of a GNU generation.

  5. Re: How to find used IP addresses

    genkuro@gmail.com wrote:
    > Hi -
    >
    > I inherited a network that's in pretty bad shape: all static IP
    > addresses, an uneven ledger of who is assigned what, swiss cheese
    > address assignment, no MAC address list, and a bunch of host software
    > firewalls which prevent pings.
    >
    > Can anyone suggest an accurate means of figuring out what IP addresses
    > are in use and their corresponding MAC address?
    >
    > I'm using tcpdump now to siphon off ARP traffic. That more or less
    > gets me active IP addresses. Does this work for all hosts? Any
    > ptifalls to this strategy? Most hosts are Windows machines. We have a
    > few jetdirect devices.
    >
    > How would I get the MAC address after that? I guess I could script
    > something using the list generated by tcpdump. Is there a simpler way?
    >
    > Any help is appreciated!


    If you have arping available, it's a decent tool. Basically it does an
    arp (layer 2) on the local network for the IP address you specify. Even
    if someone is silly enough to block pings, they can't block arps.

    If you have a smart switch, they usually keep track of MAC addresses,
    too, but usually not IP addresses.

    Last resort: if any of the boxes are Windows and use WINS, WINS keeps
    track of IP addresses across subnets.

  6. Re: How to find used IP addresses

    genkuro@gmail.com wrote:
    > Hi -
    >
    > I inherited a network that's in pretty bad shape: all static IP
    > addresses, an uneven ledger of who is assigned what, swiss cheese
    > address assignment, no MAC address list, and a bunch of host software
    > firewalls which prevent pings.
    >
    > Can anyone suggest an accurate means of figuring out what IP addresses
    > are in use and their corresponding MAC address?
    >
    > I'm using tcpdump now to siphon off ARP traffic. That more or less
    > gets me active IP addresses. Does this work for all hosts? Any
    > ptifalls to this strategy? Most hosts are Windows machines. We have a
    > few jetdirect devices.
    >
    > How would I get the MAC address after that? I guess I could script
    > something using the list generated by tcpdump. Is there a simpler way?
    >
    > Any help is appreciated!
    >

    Run arpwatch for a bit, collect the information, configure the servers
    to only respond to the MAC/IP addresses you know and anyone you've
    missed will soon let you know. (You'll have to explicitly check all the
    printers and anything else that might not talk to the servers.)
    Jetdirect TCP/IP stacks tend to respond to broadcast pings quite nicely,
    at least the ones I've tried so that should pick up all the printers
    plus a few more.

    Once you've got that far, set up a DHCP server (ideally with DDNS) in a
    spare part of the subnet and go round all the machines one at a time and
    switch them over to use it, expanding the DHCP range as you clear the
    static ones. The few things that benefit from being static can be given
    fixed DHCP assignments so you can administer them all from the same
    place in future.

    --
    Dave
    mail da ve@llondel.org (without the space)
    http://www.llondel.org
    So many gadgets, so little time

  7. Re: How to find used IP addresses

    genkuro@gmail.com wrote:
    > Hi -
    >
    > I inherited a network that's in pretty bad shape: all static IP
    > addresses, an uneven ledger of who is assigned what, swiss cheese
    > address assignment, no MAC address list, and a bunch of host software
    > firewalls which prevent pings.
    >
    > Can anyone suggest an accurate means of figuring out what IP addresses
    > are in use and their corresponding MAC address?
    >
    > I'm using tcpdump now to siphon off ARP traffic. That more or less
    > gets me active IP addresses. Does this work for all hosts? Any
    > ptifalls to this strategy? Most hosts are Windows machines. We have a
    > few jetdirect devices.
    >
    > How would I get the MAC address after that? I guess I could script
    > something using the list generated by tcpdump. Is there a simpler way?
    >
    > Any help is appreciated!
    >


    arpwatch can automate the process somewhat...

    ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

    Doug

  8. Re: How to find used IP addresses

    In news:1167928075.280542.79920@i15g2000cwa.googlegro ups.com,
    genkuro@gmail.com wrote:

    > Can anyone suggest an accurate means of figuring out what IP addresses
    > are in use and their corresponding MAC address?


    arp -a

  9. Re: How to find used IP addresses

    On 4 Jan 2007, in the Usenet newsgroup comp.os.linux.networking, in article
    <1167928075.280542.79920@i15g2000cwa.googlegroups.c om>, genkuro@gmail.com wrote:

    >I inherited a network that's in pretty bad shape: all static IP
    >addresses,


    If your computers aren't going 'walkies' there's nothing wrong with
    using static addresses. Our security auditors strongly recommended it.

    >an uneven ledger of who is assigned what, swiss cheese address
    >assignment, no MAC address list, and a bunch of host software
    >firewalls which prevent pings.


    Layout? Start by grabbing a copy of the arp caches on your routers,
    DNS and file servers. If your network is using intelligent switches,
    grab their arp cache as well. RFC1122 (Requirements for Internet Hosts
    - Communication Layers) section 2.3.2 suggests (in 2.3.2.1.(1)) a time
    out of 60 seconds, but most routers and switches use a far longer value.

    >Can anyone suggest an accurate means of figuring out what IP addresses
    >are in use and their corresponding MAC address?


    Above. See also 'arpwatch'

    >I'm using tcpdump now to siphon off ARP traffic. That more or less
    >gets me active IP addresses. Does this work for all hosts?


    If they are not using ARP (not very likely, but possible - 'man arp')
    you'll have to look in the arp caches as above.

    >Any ptifalls to this strategy?


    Not really. Depending on the local mail clients, you might sniff the
    mail server POP or IMAP ports, and you'll usually get usernames to nail
    down who is who.

    >Most hosts are Windows machines.


    My condolences. But at least they spew lots of user information for you to
    sniff.

    >We have a few jetdirect devices.


    Good places to listen - lot's of people like to print crap. I've seen
    JetDirects using MAC addresses in the 08:00:09: and 00:01:E6: range.
    'arpwatch' comes with a crude list of OUI codes, but the official list
    can be download from http://standards.ieee.org/regauth/oui/oui.txt. Be
    advised that's a large list (63000 lines, 2.73 megabytes). An unofficial
    list, older and with some errors, but some additional details/clues is at
    http://map-ne.com/Ethernet/Ethernet.txt.

    >How would I get the MAC address after that? I guess I could script
    >something using the list generated by tcpdump. Is there a simpler way?


    We have all that information, but run a VERY PARANOID ship - so we're
    monitoring the ARP cache of the switches, routers, and some servers, 24/7
    and comparing that data to a list of known MAC/IP addresses - 'arpwatch'
    will do something near identical. An unknown MAC or IP address causes
    mail to the NOC and Security station. As ours is a switched network, and
    we know where every switch port terminates, it's usually a footrace between
    a network administrator and a guard to see who gets to the intruder first.

    Old guy

+ Reply to Thread