ARP scanning and VMware

[Paul Johnston <paj () pajhome org uk>]

Hi,

I've been doing ARP scanning using nmap from a VMware guest (Backtrack 4.2)
using bridged networking. I've noticed that the VMware host machine doesn't
appear in the scan results.

In fact, looking closer, the host doesn't  respond to the ARP requests at
all - even ones generated by the guest's kernel. It seems the only way to
guest ever knows the hosts address is receiving ARP queries inbound. I
presume this is due to the VMware virtual switch not forwarding broadcast
frames quite right. It may be worth mentioning this in the documentation
somewhere as a potential gotcha.

I also wondered how the scan detects local addresses - it doesn't generate
an ARP request for these. Is it looking at the output of ifconfig?

I need a reliable way to detect all hosts on the network. At the moment, my
best option seems to be combining an ARP scan with the local ARP cache. I
wondered if anyone had any better suggestions? Perhaps I should report this
to VMware as a bug.

Paul
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/