From: Jason Lewis (jlewis@packetnexus.com)
Date: Tue Feb 04 2003 - 19:32:53 EST
This may be part of my problem. I have a list of IPs and MACs. There are
multiple MACs tied to a single IP. I was under the impression this data
was gathered from ARP tables from several machines across the network.
I figured the reason I was seeing multiple MACs for a single IP was
because the router responded for the IP behind it. Any other explanation
for what I am seeing?
jas
> Jason,
>
> If the machines were behind a router you would not see anything for ARP.
> At that point you are routing and not switching. True, you would see
> an MAC address for the router but remember, the MAC address is part of
> the frame and the IP address is part of the packet. Therefore the only
> time that the two are tied together is on the local subnet.
>
> Any tool to map networks based on arp tables would have to have access
> to the arp tables for each individual subnet.
>
> "If machines were behind a router the ARP tables would show multiple
> IP's with the same MAC." No, the arp tables would only show the routers
> IP address and the mac address of the router. A routing table would
> show IP addresses "behind" the routers IP address (maybe, default routes
> would throw this off). Routing tables are global while arp tables are
> local to the subnet.
>
> Hope this helps.
>
> Kevin
> ----- Original Message -----
> From: "Jason Lewis" <jlewis@packetnexus.com>
> To: <pen-test@securityfocus.com>
> Sent: Tuesday, February 04, 2003 6:36 PM
> Subject: Using ARP to map a network
>
>
>> I have searched and can't seem to find any tools to help map a network
>> based on ARP tables.
>>
>> It seems to me, I could take ARP tables from several machines and
>> build a network map. If machines were behind a router the ARP tables
>> would show multiple IP's with the same MAC. With enough ARP tables,
>> wouldn't I be able to build a map?
>>
>> Is my theory flawed?
>>
>> My goal is to do passive network mapping based on any local
>> information I can obtain from computers or network devices. Anyone
>> have any ideas?
>>
>> jas
>>
>>
>>
>> --------------------------------------------------------------------------
> --
>> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
>> Service. For more information on SecurityFocus' SIA service which
>> automatically alerts you to the latest security vulnerabilities please
> see:
>> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT