Re: ARP scanning and VMware

[David Fifield <david () bamsoftware com>]

On Fri, Jul 29, 2011 at 01:24:05PM +0100, Paul Johnston wrote:
> Hi,
>
> I've been doing ARP scanning using nmap from a VMware guest (Backtrack 4.2)
> using bridged networking. I've noticed that the VMware host machine doesn't
> appear in the scan results.
>
> In fact, looking closer, the host doesn't  respond to the ARP requests at
> all - even ones generated by the guest's kernel. It seems the only way to
> guest ever knows the hosts address is receiving ARP queries inbound. I
> presume this is due to the VMware virtual switch not forwarding broadcast
> frames quite right. It may be worth mentioning this in the documentation
> somewhere as a potential gotcha.
>
> I also wondered how the scan detects local addresses - it doesn't generate
> an ARP request for these. Is it looking at the output of ifconfig?

Nmap compares the address against the local interface table. It doesn't
look at ifconfig but uses one of a variety of platform-specific methods
to get teh interface table. See route_dst_generic in
libnetutil/netutil.cc.
  /* First check if dst is one of the localhost's own addresses. We need to use
     a localhost device for these. */

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/