Re: 2 ideas for NMAP, 1 open question

["Andy Lutomirski" <Luto () myrealbox com>]

[lots of headers and text snipped]


> Date: Fri, 24 May 2002 00:12:12 -0700 (PDT)
> From: Lamont Granquist <lamont () scriptkiddie org>
> To: <nmap-hackers () insecure org>
> Subject: 2 ideas for NMAP, 1 open question
>
>
> ARP scan.
>
> I've noticed that this is what happens anyways when you do a TCP or ICMP
> scan on your local network (just think about it for a second).  You could
> just cut to the chase and do this directly.  Ideally do it massively
> parallel as well, so that you can do a fast local network discovery.
> Really NMAP should know what networks are on your local interfaces and you
> should be able to specify just with a couple switches that you want to do
> a complete local network discovery.

For a working partial implementation of ARP scan, look no farther than the
nmap source in mswin32/winip/pcapsend.c.  I needed to resolve ARP on my own
to get it working over winpcap, so I wrote an ARP cache/send layer.  The
only problems are that it is Windows-specific (easily fixed as long as there
is a portable way to _write_ link-layer packets), that its data structures
are not terribly effective for massive ARP scan (also easily fixed,
especially if we can use STL ;), and that it depends on an OS-specific way
to query the ARP cache.  I dunno if *NIX has this, but at the very least it
should be doable with an SNMP-like mechanism (that's how, IIRC, I did it for
win95).  Unfortunately, the presence of this code does not mean that nmap
can currently ARP-scan on Windows :(  It may prove a useful reference,
though.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).