RE: mac addr lookups?

[wanb0y <wanb0y () earthlink net>]

----------
From:   Fyodor
Sent:   Wednesday, February 17, 1999 10:17 PM
To:     nmap-hackers () insecure org
Subject:        RE: mac addr lookups?

On Wed, 17 Feb 1999, White Cap wrote:

> > Since NMAP is the standard tool now for determining OSes remotely, I would
> > argue that it makes logical sense to incorporate arp scanning and spoof
> > detection into it.

> So are you going to write the code then?  If you do, I will certainly put
> it in the "nmap related projects" portion of the web page so that you and
> anyone else who wants this capability can have it.  And if it is clean
> I'll consider it adding it to the main source tree.

> Remember we are not talking about Microsoft Word or NAI's CyberCop or
> Internet Security Scanner where you have to beg the vendor for new
> features.  You all have the code and can make it do whatever you feel is
> worth the effort to put in.  You are even at liberty to distribute your
> own version of nmap which has all your favority features.  All development
> tools you need to do this are completely free.

Nice to see Fyodor moderate this.  At least we avoid, "how can I get ppls MACs
on AOL?"

> Thus I won't accept any more posts arguing for ARP scanning which don't
> include (or point to) relevant C code.

This being said:

http://www.netlogic.ro/linuxdoc/arpwatch-2.1a4/

I use arpwatch after an arp spoof incident on my network or possibly, as Fyodor was
quick to point out, an attempt to fill the MAC addr buffers in the switch.

It is a good little app and can notify you of changes using e-mail.  For my 2 cents:

It is a very useful too that also requires libpcap.  Hopefully nmap's "possibly
modified" version will not cause those who would run both utilities on the same
machine.  Fortunately (or not) I fall into the distributed paranoia farm, and run diffrent
machines to listen than I use to probe. 

Note: Fyodor edit them if you don't want opinion, I provided obligitory code refrences, but
I might accuse you of censorship like our AOL friends ;)

We are basically discussing two seperate classes of network utilities within this thread.
The first is a scanning tool, the second class is generally a change detection or network
fault detection tool.

IMHO

If you install it in a scanner, strictly to collect, then the people who use nmap for ID testing
will want the arp tool to collect MACs and perform change detection/notification(AKA arpwatch.)

My very good C developer friends call this: "Feature Creep"

I think a balance is good, I don't have the hours in a day to build my own scanner like nmap,
but I can kludge two very good tools together.  And it is not nearly as ugly as I would expect from
Micro$oft, despite my lack of skill.

wanb0y 

IMHO