Nmap Announce mailing list archives
RE: mac addr lookups?
From: wanb0y <wanb0y () earthlink net>
Date: Thu, 18 Feb 1999 00:25:51 -0600
---------- From: Fyodor Sent: Wednesday, February 17, 1999 10:17 PM To: nmap-hackers () insecure org Subject: RE: mac addr lookups? On Wed, 17 Feb 1999, White Cap wrote:
Since NMAP is the standard tool now for determining OSes remotely, I would argue that it makes logical sense to incorporate arp scanning and spoof detection into it.
So are you going to write the code then? If you do, I will certainly put it in the "nmap related projects" portion of the web page so that you and anyone else who wants this capability can have it. And if it is clean I'll consider it adding it to the main source tree.
Remember we are not talking about Microsoft Word or NAI's CyberCop or Internet Security Scanner where you have to beg the vendor for new features. You all have the code and can make it do whatever you feel is worth the effort to put in. You are even at liberty to distribute your own version of nmap which has all your favority features. All development tools you need to do this are completely free.
Nice to see Fyodor moderate this. At least we avoid, "how can I get ppls MACs on AOL?"
Thus I won't accept any more posts arguing for ARP scanning which don't include (or point to) relevant C code.
This being said: http://www.netlogic.ro/linuxdoc/arpwatch-2.1a4/ I use arpwatch after an arp spoof incident on my network or possibly, as Fyodor was quick to point out, an attempt to fill the MAC addr buffers in the switch. It is a good little app and can notify you of changes using e-mail. For my 2 cents: It is a very useful too that also requires libpcap. Hopefully nmap's "possibly modified" version will not cause those who would run both utilities on the same machine. Fortunately (or not) I fall into the distributed paranoia farm, and run diffrent machines to listen than I use to probe. Note: Fyodor edit them if you don't want opinion, I provided obligitory code refrences, but I might accuse you of censorship like our AOL friends ;) We are basically discussing two seperate classes of network utilities within this thread. The first is a scanning tool, the second class is generally a change detection or network fault detection tool. IMHO If you install it in a scanner, strictly to collect, then the people who use nmap for ID testing will want the arp tool to collect MACs and perform change detection/notification(AKA arpwatch.) My very good C developer friends call this: "Feature Creep" I think a balance is good, I don't have the hours in a day to build my own scanner like nmap, but I can kludge two very good tools together. And it is not nearly as ugly as I would expect from Micro$oft, despite my lack of skill. wanb0y IMHO
Current thread:
- Re: mac addr lookups?, (continued)
- Re: mac addr lookups? //Stany (Feb 15)
- Re: mac addr lookups? Terje Elde (Feb 15)
- Re: mac addr lookups? Fyodor (Feb 16)
- Re: mac addr lookups? White Cap (Feb 16)
- Re: mac addr lookups? ajax (Feb 16)
- Re: mac addr lookups? Nathan Catlow (Feb 16)
- Re: mac addr lookups? Terje Elde (Feb 17)
- Re: mac addr lookups? White Cap (Feb 16)
- RE: mac addr lookups? Escobar, Henry J. (Feb 17)
- RE: mac addr lookups? White Cap (Feb 17)
- RE: mac addr lookups? Fyodor (Feb 17)
- RE: mac addr lookups? White Cap (Feb 17)
- RE: mac addr lookups? wanb0y (Feb 17)
- Re: mac addr lookups? //Stany (Feb 15)