In CentOS 4 does anyone know the switches to get NMAP to reveal the MAC of the host being scanned ?
I cant seem to find it and i am using nmap-4.20 - i am sure this was available somehow on older releases.
thanks
Sorry I don't have the answer off hand, but it might be as simple as increasing the level of verbosity. Another option is the 'arp' command, at least if the host is on the same network.
Mike
On Wed, May 7, 2008 at 12:07 PM, Tom Brown tom@ng23.net wrote:
In CentOS 4 does anyone know the switches to get NMAP to reveal the MAC of the host being scanned ?
I cant seem to find it and i am using nmap-4.20 - i am sure this was available somehow on older releases.
thanks
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Tom Brown wrote:
In CentOS 4 does anyone know the switches to get NMAP to reveal the MAC of the host being scanned ?
I cant seem to find it and i am using nmap-4.20 - i am sure this was available somehow on older releases.
thanks
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Must be some other issue....
[root@localhost ~]# nmap XXX.XXX.XXX.101
Starting Nmap 4.52 ( http://insecure.org ) at 2008-05-07 10:45 PDT Interesting ports on XXX.XXX.XXX.101: Not shown: 1712 closed ports PORT STATE SERVICE 80/tcp open http 1024/tcp open kdm MAC Address: 00:B0:19:FF:8C:D4 (Casi-Rusco)
Nmap done: 1 IP address (1 host up) scanned in 2.029 seconds [root@localhost ~]#
Appears to not require any switches.....
Tom Brown wrote:
In CentOS 4 does anyone know the switches to get NMAP to reveal the MAC of the host being scanned ?
I cant seem to find it and i am using nmap-4.20 - i am sure this was available somehow on older releases.
MAC address is only available on the same network segment... And, I've noticed hte newer versions of nmap only seem to show it if you run it as root....
$ sudo nmap -sP -n 192.168.0.0/24 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-06 23:30 PDT Host 192.168.0.1 appears to be up. MAC Address: 00:04:75:74:0B:3C (3 Com) Host 192.168.0.2 appears to be up. MAC Address: 00:14:85:89:3F:1B (Giga-Byte) Host 192.168.0.3 appears to be up. MAC Address: 00:07:E9:DE:CC:B7 (Intel) Host 192.168.0.10 appears to be up. Host 192.168.0.140 appears to be up. MAC Address: 00:0E:35:C6:F1:95 (Intel) Host 192.168.0.144 appears to be up. MAC Address: 00:13:CE:67:DC:12 (Intel Corporate) Host 192.168.0.251 appears to be up. MAC Address: 00:0F:66:A0:58:ED (Cisco-Linksys) Nmap finished: 256 IP addresses (7 hosts up) scanned in 6.576 seconds
vs...
$ nmap -sP -n 192.168.0.0/24 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-07 11:17 PDT Host 192.168.0.1 appears to be up. Host 192.168.0.2 appears to be up. Host 192.168.0.3 appears to be up. Host 192.168.0.10 appears to be up. Host 192.168.0.251 appears to be up. Nmap finished: 256 IP addresses (5 hosts up) scanned in 2.402 seconds You have new mail in /var/spool/mail/pierce
$ nmap -V Nmap version 4.11 ( http://www.insecure.org/nmap/ )
Tom Brown wrote:
In CentOS 4 does anyone know the switches to get NMAP to reveal the MAC of the host being scanned ?
Others have given you good answers, but I felt I could share some insight on the matter..
The MAC address of a NIC is used by switches to send packets out the right port - As soon as you add a routing element, all traffic to a routed IP appears to be destined for the router, if one goes by the MAC address in the packet.
If the destination MAC were to be encoded in the packet, no switches would be able to keep their internal tables sane, as it would be flooded with MACs, all on the same port (the one connected to the gateway).
When a switch recieves a packet adressed to a MAC that doesn't appear in the switch-internal list, the packet will be flooded (sent out on all ports). Once a packet from that MAC passes through the switch, that MAC will be added to the list, and future packets only leave that one port.
The main function of a switch is to keep irrelevant packets away from hosts, but packets to unknown (to the switch) hosts get sent everywhere, just like a Hub would do.
Others have given you good answers, but I felt I could share some insight on the matter..
The MAC address of a NIC is used by switches to send packets out the right port - As soon as you add a routing element, all traffic to a routed IP appears to be destined for the router, if one goes by the MAC address in the packet.
If the destination MAC were to be encoded in the packet, no switches would be able to keep their internal tables sane, as it would be flooded with MACs, all on the same port (the one connected to the gateway).
When a switch recieves a packet adressed to a MAC that doesn't appear in the switch-internal list, the packet will be flooded (sent out on all ports). Once a packet from that MAC passes through the switch, that MAC will be added to the list, and future packets only leave that one port.
The main function of a switch is to keep irrelevant packets away from hosts, but packets to unknown (to the switch) hosts get sent everywhere, just like a Hub would do.
yes - thanks all, it appears its a cross network 'issue'
thanks
The main function of a switch is to keep irrelevant packets away from
hosts, but packets to unknown (to the switch) hosts get sent everywhere, just like a Hub would do.
yes - thanks all, it appears its a cross network 'issue'
thanks
If you're trying to get a MAC address across your own switches, you could try walking the switch's forwarding table (assuming SNMP availability). It's a cheesy way but works!
-Chris
------------------------------------------------------------------------------ "This electronic message transmission contains confidential or privileged information from Mount Carmel . The information is intended for use by the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify us immediately by telephone (614-234-8700) or by electronic mail (exchange@mchs.com)." ==============================================================================
On Wed, 7 May 2008 21:47:51 -0400 "Clonch, Christopher A." cclonch2@mchs.com wrote:
The main function of a switch is to keep irrelevant packets away from
hosts, but packets to unknown (to the switch) hosts get sent everywhere, just like a Hub would do.
yes - thanks all, it appears its a cross network 'issue'
thanks
If you're trying to get a MAC address across your own switches, you could try walking the switch's forwarding table (assuming SNMP availability). It's a cheesy way but works!
This will only work on a local network: once you have the IP address, you can do an arp -v
You cannot get the MAC address of a routed IP address, it only exist on a local network.
This will only work on a local network: once you have the IP address, you can do an arp -v
You cannot get the MAC address of a routed IP address, it only exist
on a
local network.
Heres the code snippet I've used to walk a router's MAC table:
snmpwalk -v 1 -c public ${GWADDR} ipNetToMediaPhysAddress \ |grep ${IPADDR} |awk '{print $4}'
${GWADDR} is your router's IP and ${IPADDR} is the target's IP. This allows you to qets MACs in another network. Would probably only work for one hop; everything I have tried it on was only a single hop away.
------------------------------------------------------------------------------ "This electronic message transmission contains confidential or privileged information from Mount Carmel . The information is intended for use by the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify us immediately by telephone (614-234-8700) or by electronic mail (exchange@mchs.com)." ==============================================================================
The main function of a switch is to keep irrelevant
packets away from
hosts, but packets to unknown (to the switch) hosts get sent everywhere, just like a Hub would do.
yes - thanks all, it appears its a cross network 'issue'
thanks
If you're trying to get a MAC address across your own switches, you could try walking the switch's forwarding table (assuming SNMP availability). It's a cheesy way but works!
If you have CDP enabled switches, try one of the magic auto discovery programs out there. I use NetDisco (netdisco.org), but there is also nTop and a ton of commercial apps. CDP is cisco, but all the major vendors have a similar protocol. NetDisco has a web interface listing what macs/vlans showed up on what ports, duplex mismatches, and all your switch os/patch levels.
Patrick
-
centos@911networks.com -
Clonch, Christopher A. -
Dennis McLeod -
Flaherty, Patrick -
John R Pierce -
Michael Semcheski -
Morten Nilsen -
Tom Brown