IP scanner tools

Hi,

Does any one know a free ip scanner (like Angry IP scanner) that can also pull back mac address from remote subnets?

I have enterprise tools that do it, but some one asked me for one and I cant seem to find any thing. http://www.switchportmapper.com/ does it but this is for mapping ports to switch not just IP address.

I was thinking some thing like angrey IP scanner that you can also put in details of router devices along with SNMP communities, so first it pings the IP address, then gathers mac address tables and does a look up to find the mac address.

Trouble is with a switch port mapper it will only report devices that are connected to a manged switch, and some thing like angry IP scanner will only return info other than IP address like OS version for devices that support it.

So this guy wants the features of angry IP scanner that will report any live IP address, but if it cant get back OS info it will at least report back all the mac address.

Any ideas?

Find more posts tagged with

Comments

beads

NMap would have some but not all of these features. Most scanners wouldn't necessarily be able to query layer 2 or be very, very slow to scan anything.

I am curious as to why he would want or need the MAC address to a destination beyond being able to clone the source off. Sounds like ethically dubious territory.

I retain the right to remain wrong...

- b/eads

DevilWAH

because mac address tells you device type. So if you are scanning a remote sub net using angry IP scanner it will show you all the live ip address, and if the OS supports it or using netbios you can pull back some more info. So you might get that its a windows box and its host name etc...

but some will just return an IP. If you can get back mac address you can say.

IP address x.x.x.x is a Samsung device, and IP address y.y.y.y is a netgear device...

Now i know samsung thin clients don't respond with OS info but I have a list of all the thin client mac address so I can check this out. but that netgear, what the hell is that doing on my network, has some one plugged in a hub??

for a network engineer hardware address are what its all about, a IP address is just an alias, its the mac address that hold information.

and i was not suggesting layer 2 scanning there are arp scanners out there for that, which again are very useful for a network engineer as a ping scan does not tell you whats on the network. IF some one patches in a device to your network that has a firewall turned on then it will not replay to pings, but it will reply to arp requests. So if you want to check if an IP address really is free on a network an arp ping is much more reliable than icmp. But again ARP pings / requests dont move across layer 3 devices so only work on local subnets.

What I am talking about if doing a standard ping sweep, and then grabbing the arp cache of the remote routers. Its standard switch port mapping that most enterprise network tools have built in, so you can see not only if the IP address is live but also what port on the network the switch is patches in to. Also the suggestion I am talking about assumes that you have admin access to the router to get the arp cache from, if some one has that then you are way past the point of worrying about "cloning mac address". Plus mac address cloning is really not something to worry to much about plenty of methods on the network to detect and mitigate that these days.

but again why do people always assume negative reasons for some thing? As I say MAc address is what network engineers live on, its what is the unique identifier on the network, the host name maps to the ip and the ip maps to the mac address. If you are a network engineer (or analysts / designer as I am) you want all three bits of that information when auditing and trouble shooting.

wes allen

If they have access to the switches/routers, why wouldn't they just **** the arp tables and call it a day? No need to actively scan anything.

If you don't have access to the network gear, than a script that does an nbtstat against live remote devices seems like something that might work for windows - there is a nmap script: https://nmap.org/nsedoc/scripts/nbstat.html But the host has to have a way to query and report it's own info, so pretty much windows only.

DevilWAH

Because that's like saying why use a tool like nmap as all that is is a collection of other tools bound together by a script, you could just do it all long hand and call it a day... Also you do need to scan as the arp tables wont have entries unless the devices has recently been communicating.

So the long hand process is

1. ping the ip addres.
2. log on the net work device and **** the mac address.

Now if its one device you can do a straight forward look up, but if its 1,000's and you have multiple devices you need to grab the arp tables from then you need to log in to each to to do the look up, or **** them and then parse them and do the cross matching..

As the arp-tables are a RFC standard MIB, if this is some thing you are going to do a lot then you might want to automate the steps. Assuming you are working from a device that has SNMP access to all the devices and can ping all the subnets then you can do this using any scripting language, ping and net-snmp.

That all any application / tool is, just simply automating a logical workflow.

I think i mentioned that yes nbstat and such like are great for devices that support it, even better for windows machines you have admin rights to is "getmac /s viper" and they send there mac address back.

I am well versed in the long hand ways of getting information from network devices, I am simple asking if there is already a tool on the market that does what i asked, or I will script one up for the guy.

Also I have said twice now that I know of tools that can do this for hosts that can report it but am looking for a tool that can pull back the mac address for ones that can't. I know people are trying to help but why repeat what I have already outlined?

thomas_

I'm guessing you would need some sort of port mirroring on the switches connecting to the clients and then some device that would be able to collect the mac addresses and send it out via an application.

The problem with collecting MAC addresses remotely is that at each hop the "TO" and "FROM" MAC addresses are changed.

DevilWAH

Hi Thomas. AS long as you know the finaly Layer 3 device then this is where you need to get he ARP tables from. So in the diagram attached the final router in the chain will have to send the packet to the end station so will do a arp look up and have the "real" mac address.

Now you can find this two ways, either do a traceroot to the device (or the broadcast address of the sub net its on, this way you can do one trace-root per subnet rather than for each device), or define it manually.

Like a PC all routers have a arp table populate with all the IP address the are routing for, so there is no need to mirror, you can just ask this device for a list of all the MAC to IP address it knows about. using SNMP is one very well documents and standardized way to do this. Once you have this table you just have to search though it for the IP address your interested in and then read across to the mac address.

open up a command prompt on your PC and type "arp - a" you will get a list of mac to ip address, essenestly this is just the same but your running that command on the last router in the chain, as like you say if you do it any where else you wont get the right address. you also need to make sure you ping the device first so a packet passes though the router and the arp table is populated.

Example remote subnet.jpg

DevilWAH

oh sorry i see what you mean by just **** the file.

If there was just one or two devices then yes I agree, but in this case its many possible devices in many locations. and many different sub nets. So its just a case of automating the steps he is after.

Actually I might make this tool after all as it would allow you to audit a remote subnet for address usage remotely. If you want to see address usage on a remote subnet and you ping it that will not show up device that don't respond to pings, but if you ping all the address, then grab the arp table, this will have entries for any thing that responds to a arp request. which is any thing that has an IPV4 address. Very few devices can work with out responding to ARP.

I am working on an IPAM solution with a company at the moment, so might integrate this in to it for more accurate IP address management. the system already has SNMP polling for the network and server monitoring side of things, so has the information in it already.