How to find used IP addresses

Hi -

I inherited a network that's in pretty bad shape: all static IP
addresses, an uneven ledger of who is assigned what, swiss cheese
address assignment, no MAC address list, and a bunch of host software
firewalls which prevent pings.

Can anyone suggest an accurate means of figuring out what IP addresses
are in use and their corresponding MAC address?

I'm using tcpdump now to siphon off ARP traffic. That more or less
gets me active IP addresses. Does this work for all hosts? Any
ptifalls to this strategy? Most hosts are Windows machines. We have a
few jetdirect devices.

How would I get the MAC address after that? I guess I could script
something using the list generated by tcpdump. Is there a simpler way?

Any help is appreciated!

genkuro@gmail.com wrote:
> Hi -
>
> I inherited a network that's in pretty bad shape: all static IP
> addresses, an uneven ledger of who is assigned what, swiss cheese
> address assignment, no MAC address list, and a bunch of host software
> firewalls which prevent pings.
>
> Can anyone suggest an accurate means of figuring out what IP addresses
> are in use and their corresponding MAC address?
>
> I'm using tcpdump now to siphon off ARP traffic. That more or less
> gets me active IP addresses. Does this work for all hosts? Any
> ptifalls to this strategy? Most hosts are Windows machines. We have a
> few jetdirect devices.
>
> How would I get the MAC address after that? I guess I could script
> something using the list generated by tcpdump. Is there a simpler way?
>
> Any help is appreciated!
>

arpwatch can automate the process somewhat...

ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

Doug

On Thu, 04 Jan 2007 08:27:55 -0800, genkuro wrote:

> Hi -
>
> I inherited a network that's in pretty bad shape: all static IP
> addresses, an uneven ledger of who is assigned what, swiss cheese
> address assignment, no MAC address list, and a bunch of host software
> firewalls which prevent pings.
>
> Can anyone suggest an accurate means of figuring out what IP addresses
> are in use and their corresponding MAC address?
>
> I'm using tcpdump now to siphon off ARP traffic. That more or less
> gets me active IP addresses. Does this work for all hosts? Any
> ptifalls to this strategy? Most hosts are Windows machines. We have a
> few jetdirect devices.
>
> How would I get the MAC address after that? I guess I could script
> something using the list generated by tcpdump. Is there a simpler way?
>
> Any help is appreciated!

Assuming all of the adresses are in a particular range like 192.168.100.x
then try "ping -b 192.168.100.255" for starters.

genkuro@gmail.com wrote:

> Hi -
>
> I inherited a network that's in pretty bad shape: all static IP
> addresses, an uneven ledger of who is assigned what, swiss cheese
> address assignment, no MAC address list, and a bunch of host software
> firewalls which prevent pings.
>
> Can anyone suggest an accurate means of figuring out what IP addresses
> are in use and their corresponding MAC address?
>
> I'm using tcpdump now to siphon off ARP traffic. That more or less
> gets me active IP addresses. Does this work for all hosts? Any
> ptifalls to this strategy? Most hosts are Windows machines. We have a
> few jetdirect devices.
>
> How would I get the MAC address after that? I guess I could script
> something using the list generated by tcpdump. Is there a simpler way?
>
> Any help is appreciated!

Let arpwatch run for a few daays. It should mad everything out for you.

--
Lasse Jensen [fafler at g mail dot com]
Linux, the choice of a GNU generation.

genkuro@gmail.com wrote:
> Hi -
>
> I inherited a network that's in pretty bad shape: all static IP
> addresses, an uneven ledger of who is assigned what, swiss cheese
> address assignment, no MAC address list, and a bunch of host software
> firewalls which prevent pings.
>
> Can anyone suggest an accurate means of figuring out what IP addresses
> are in use and their corresponding MAC address?
>
> I'm using tcpdump now to siphon off ARP traffic. That more or less
> gets me active IP addresses. Does this work for all hosts? Any
> ptifalls to this strategy? Most hosts are Windows machines. We have a
> few jetdirect devices.
>
> How would I get the MAC address after that? I guess I could script
> something using the list generated by tcpdump. Is there a simpler way?
>
> Any help is appreciated!

If you have arping available, it's a decent tool. Basically it does an
arp (layer 2) on the local network for the IP address you specify. Even
if someone is silly enough to block pings, they can't block arps.

If you have a smart switch, they usually keep track of MAC addresses,
too, but usually not IP addresses.

Last resort: if any of the boxes are Windows and use WINS, WINS keeps
track of IP addresses across subnets.

In news:1167928075.280542.79920@i15g2000cwa.googlegro ups.com,
genkuro@gmail.com <genkuro@gmail.com> wrote:

> Can anyone suggest an accurate means of figuring out what IP addresses
> are in use and their corresponding MAC address?

arp -a

On 4 Jan 2007, in the Usenet newsgroup comp.os.linux.networking, in article
<1167928075.280542.79920@i15g2000cwa.googlegroups. com>, genkuro@gmail.com wrote:

>I inherited a network that's in pretty bad shape: all static IP
>addresses,

If your computers aren't going 'walkies' there's nothing wrong with
using static addresses. Our security auditors strongly recommended it.

>an uneven ledger of who is assigned what, swiss cheese address
>assignment, no MAC address list, and a bunch of host software
>firewalls which prevent pings.

Layout? Start by grabbing a copy of the arp caches on your routers,
DNS and file servers. If your network is using intelligent switches,
grab their arp cache as well. RFC1122 (Requirements for Internet Hosts
- Communication Layers) section 2.3.2 suggests (in 2.3.2.1.(1)) a time
out of 60 seconds, but most routers and switches use a far longer value.

>Can anyone suggest an accurate means of figuring out what IP addresses
>are in use and their corresponding MAC address?

Above. See also 'arpwatch'

>I'm using tcpdump now to siphon off ARP traffic. That more or less
>gets me active IP addresses. Does this work for all hosts?

If they are not using ARP (not very likely, but possible - 'man arp')
you'll have to look in the arp caches as above.

>Any ptifalls to this strategy?

Not really. Depending on the local mail clients, you might sniff the
mail server POP or IMAP ports, and you'll usually get usernames to nail
down who is who.

>Most hosts are Windows machines.

My condolences. But at least they spew lots of user information for you to
sniff.

>We have a few jetdirect devices.

Good places to listen - lot's of people like to print crap. I've seen
JetDirects using MAC addresses in the 08:00:09: and 00:01:E6: range.
'arpwatch' comes with a crude list of OUI codes, but the official list
can be download from http://standards.ieee.org/regauth/oui/oui.txt. Be
advised that's a large list (63000 lines, 2.73 megabytes). An unofficial
list, older and with some errors, but some additional details/clues is at
http://map-ne.com/Ethernet/Ethernet.txt.

>How would I get the MAC address after that? I guess I could script
>something using the list generated by tcpdump. Is there a simpler way?

We have all that information, but run a VERY PARANOID ship - so we're
monitoring the ARP cache of the switches, routers, and some servers, 24/7
and comparing that data to a list of known MAC/IP addresses - 'arpwatch'
will do something near identical. An unknown MAC or IP address causes
mail to the NOC and Security station. As ours is a switched network, and
we know where every switch port terminates, it's usually a footrace between
a network administrator and a guard to see who gets to the intruder first.

Old guy