Nmap Development mailing list archives

Re: MAC replies

From: doug () hcsw org
Date: Fri, 22 Oct 2004 02:16:08 +0100

Hi All,

I just want to say that I think ARP scanning would be a great idea for
nmap. I fully understand the difficulty in implementing this portably
though.

In fact, a while ago I implemented a patch that added ARP scanning to
nmap-2.54BETA27 (ancient history, I know...). Essentially, the
patch added a -PR option that would ping the host using ARP instead of
the defaults (ICMP/TCP). For instance, to ping a host using ARP, you
would want to use the options -SP and -PR. Adding ARP scanning as a
ping option seemed (and still seems) to be the most sensible interface
for ARP scanning.

The patch, unfortunatley, used libnet and as such was, understandably,
not eligible for inclusion in the main distribution.

Perhaps someone working on this problem might find the patch useful. You
can download it (along with some documentation) here:

http://hcsw.org/nmap/nmap-2.54BETA27-arp-patch.tgz

Good luck,

Doug Hoyte



On Thu, Oct 21, 2004 at 05:28:20PM -0700 or thereabouts, Fyodor wrote:

On Tue, Oct 19, 2004 at 09:17:43AM -0400, Adam Jacob Muller wrote:

Now that nmap has the ability to log MAC addresses does it use the fact 
that it got an arp reply to establish that the host is in fact up, my 
idea here basically is that an ARP reply is basically the only sure way 
to determine if a host is up or not, if you don't get one, then that 
host must be down, if you do in 99.99% of cases it is up (feel free to 
correct me), so does, or should nmap use a positive ARP reply to say 
that the host is up?


Yes, ARP scanning is definitely high on my "todo" list.  But Nmap does
not yet actually do ARP at all.  It just so happens that the IP packet
responses Nmap gets include the ethernet headers as well.  So Nmap
grabs them that way.  Once Nmap learns to speak raw ethernet in a
portable fashion, ARP scanning (which obviously will only work on a
local network) will not be far behind.

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Attachment: _bin
Description:

Current thread:

MAC replies Adam Jacob Muller (Oct 19)
- Re: MAC replies mark (Oct 19)
  - RE: MAC replies Alex R (Oct 19)
- Re: MAC replies Brett Campbell (Oct 19)
  - Re: MAC replies Tristan Seligmann (Oct 19)
- Re: MAC replies Fyodor (Oct 21)
  - Re: MAC replies doug (Oct 21)