f



nmap and adapter question

Hi All,

Is there a way to tell nmap to scan an adapter (eth1, tap0, etc.)
instead of an IP range?

Many thanks,
-T

0
T
12/23/2016 3:25:41 AM
comp.os.linux.misc 33599 articles. 1 followers. amosa69 (78) is leader. Post Follow

12 Replies
680 Views

Similar Articles

[PageSpeed] 49

Hello,

Le 23/12/2016 à 04:25, T a écrit :
>
> Is there a way to tell nmap to scan an adapter (eth1, tap0, etc.)
> instead of an IP range?

What do you mean exactly by "scan an adapter" ?
Source or target adapter ?
Scan in what way, for which results ?

0
Pascal
12/23/2016 12:35:40 PM
On Thu, 22 Dec 2016 19:25:41 -0800, T wrote:

> Hi All,
> 
> Is there a way to tell nmap to scan an adapter (eth1, tap0, etc.)
> instead of an IP range?
> 
> Many thanks,
> -T

Try the --send-eth option.
I'm looking at
$ nmap -V

Nmap version 7.12 ( https://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: liblua-5.2.4 openssl-1.0.2g libpcre-8.39 libpcap-1.7.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select


OTOH, if you want to snoop traffic seen by a particular adapter then
you want tcpdump.
0
Joe
12/23/2016 4:02:55 PM
On 12/23/2016 04:35 AM, Pascal Hambourg wrote:
> Hello,
>
> Le 23/12/2016 à 04:25, T a écrit :
>>
>> Is there a way to tell nmap to scan an adapter (eth1, tap0, etc.)
>> instead of an IP range?
>
> What do you mean exactly by "scan an adapter" ?
> Source or target adapter ?
> Scan in what way, for which results ?
>

I want to see all mac addresses on the Ethernet
that the cable plugs into, regardless of whether
they even have an IP address or not.

I guess what I am looking for is a MAC address
scanner that doesn't use IP scanning
0
T
12/24/2016 12:08:54 AM
T <T@invalid.invalid> wrote:
>I guess what I am looking for is a MAC address
>scanner that doesn't use IP scanning

Before you try, just guesstimate how long such a scan over an 48 bit
number will take. You can try the broadcast address, but devices
trying to hide are unlikely to respond to that.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
0
Marc
12/24/2016 11:08:54 AM
Le 24/12/2016 � 12:08, Marc Haber a �crit :
> T <T@invalid.invalid> wrote:
>> I guess what I am looking for is a MAC address
>> scanner that doesn't use IP scanning
>
> Before you try, just guesstimate how long such a scan over an 48 bit
> number will take. You can try the broadcast address, but devices
> trying to hide are unlikely to respond to that.

What kind of scan are you thinking about ?
I wonder what kind of non-{IP,ARP} packet would trigger a reply from the 
target.
0
Pascal
12/24/2016 11:28:17 AM
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>Le 24/12/2016 à 12:08, Marc Haber a écrit :
>> T <T@invalid.invalid> wrote:
>>> I guess what I am looking for is a MAC address
>>> scanner that doesn't use IP scanning
>>
>> Before you try, just guesstimate how long such a scan over an 48 bit
>> number will take. You can try the broadcast address, but devices
>> trying to hide are unlikely to respond to that.
>
>What kind of scan are you thinking about ?

None yet. I just was trying to suggest that even thinking about doing
a full MAC address range scan is unlikely to be feasible.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
0
Marc
12/24/2016 11:46:19 AM
On 24/12/16 13:28, Pascal Hambourg wrote:
> Le 24/12/2016 à 12:08, Marc Haber a écrit :
>> T <T@invalid.invalid> wrote:
>>> I guess what I am looking for is a MAC address
>>> scanner that doesn't use IP scanning
>>
>> Before you try, just guesstimate how long such a scan over an 48 bit
>> number will take. You can try the broadcast address, but devices
>> trying to hide are unlikely to respond to that.
>
> What kind of scan are you thinking about ?
> I wonder what kind of non-{IP,ARP} packet would trigger a reply from the
> target.
ethernet broadacst will reach all. There are interrogation formats for 
known protocols. I am not sure there aren't generic 'tell me what MAC 
you have and what protocol you speak ' ones.

I posted an RFC for the generaic ARP style probe, but didn't read it.
0
The
12/24/2016 1:19:32 PM
On 24/12/16 13:46, Marc Haber wrote:
> Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>> Le 24/12/2016 à 12:08, Marc Haber a écrit :
>>> T <T@invalid.invalid> wrote:
>>>> I guess what I am looking for is a MAC address
>>>> scanner that doesn't use IP scanning
>>>
>>> Before you try, just guesstimate how long such a scan over an 48 bit
>>> number will take. You can try the broadcast address, but devices
>>> trying to hide are unlikely to respond to that.
>>
>> What kind of scan are you thinking about ?
>
> None yet. I just was trying to suggest that even thinking about doing
> a full MAC address range scan is unlikely to be feasible.
>

its a broadcast of all 1's and sort the responses

> Greetings
> Marc
>

0
The
12/24/2016 1:20:22 PM
The Natural Philosopher <tnp@invalid.invalid> wrote:
>ethernet broadacst will reach all. There are interrogation formats for 
>known protocols.

How likely is a device that knows that it is not supposed to be on
this network and wants to hide to respond to that?

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
0
Marc
12/24/2016 3:43:27 PM
Le 24/12/2016 à 14:19, The Natural Philosopher a écrit :
> On 24/12/16 13:28, Pascal Hambourg wrote:
>> I wonder what kind of non-{IP,ARP} packet would trigger a reply from the
>> target.
>
> ethernet broadacst will reach all. There are interrogation formats for
> known protocols.

Can you provide just one single example of such interrogation protocol 
for any protocol ?

> I am not sure there aren't generic 'tell me what MAC
> you have and what protocol you speak ' ones.

I'm sure there aren't.
0
Pascal
12/24/2016 6:25:53 PM
On 24/12/16 17:43, Marc Haber wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> ethernet broadacst will reach all. There are interrogation formats for
>> known protocols.
>
> How likely is a device that knows that it is not supposed to be on
> this network and wants to hide to respond to that?
>

about as likely as finding a bit of hardware that possesses 
consciousness and intention I would say, wouldn't you?

> Greetings
> Marc
>

0
The
12/24/2016 7:50:57 PM
On Sat, 24 Dec 2016, in the Usenet newsgroup comp.os.linux.misc, in article
<o3lm4h$2eld$1@saria.nerim.net>, Pascal Hambourg wrote:

> Le 24/12/2016 à 12:08, Marc Haber a écrit :

>> T <T@invalid.invalid> wrote:

>>> I guess what I am looking for is a MAC address
>>> scanner that doesn't use IP scanning

Doesn't really exist - There are methods of "sniffing" all packets on a
wire, but there are thousands of different (incompatible) network
protocols that one might find on a wire.  Some network sniffers, such as
wireshark and tcpdump may be able to record some of the protocols, but
I wouldn't count on it.   In the early 1990s, the network department I
worked in was funded by collecting "tolls" from each user on our wires,
and we monitored such usage by dumping the ARP cache/hardware address
lists from the routers and Ether-switches (using a Perl script to
compare observed MAC addresses to lists of "authorized" users).

Bottom line - what are you ACTUALLY attempting to try to accomplish?

>> Before you try, just guesstimate how long such a scan over an 48 bit
>> number will take. You can try the broadcast address, but devices
>> trying to hide are unlikely to respond to that.

broadcast scanning went out of fashion well over 25 years ago - then, we
typically had 500-700 hosts on a single collision domain, and if all (or
even just a small fraction) of them tried to reply to a broadcast... 
you might be able to visualize the calamity, and the network would be
unusable for several seconds due to crashes everywhere.

>I wonder what kind of non-{IP,ARP} packet would trigger a reply from
>the  target.

It would have to be specific to the network protocol the target was
speaking (whether it be ARP for IPv4, neighbor discover for IPv6, Zone
Information Protocol for Appletalk, and so on).   And this further
implies that the various targets are actually configured - the actual
Ethernet (or Token-Ring or LocalTalk, or what-ever) network interface
doesn't know how to talk on it's own.

        Old guy
0
Moe
12/24/2016 9:33:16 PM
Reply: