When analyzing networks it is extremly helpful to have a grahical picture of the network and a complete audit of all the devices on the network. This way when you see a particular IP or Ethernet address in a packet trace you'll know which device, desktop, server, or router it came from. This will also enable you to more quickly identify addresses which you're not expecting to see.
Using our recently acquired knowledge of ARP from Chapter 5, our protocol analyzer, and a port scanner you'll be able to map out your entire network in a few minutes.
Start SuperScan and you should get a screen that looks like this:
The resulting output file should look something like this:
No. Time Source Destination Protocol Info
1 0.000000 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.1? Tell 172.16.1.169
2 0.009775 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.2? Tell 172.16.1.169
3 0.019739 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.3? Tell 172.16.1.169
...
50 1.502203 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.50? Tell 172.16.1.169
51 1.502896 00:90:27:3c:66:e1 00:01:02:48:52:18 ARP 172.16.1.50 is at 00:90:27:3c:66:e1
...
101 3.004132 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.100? Tell 172.16.1.169
102 3.004413 00:08:c7:da:08:82 00:01:02:48:52:18 ARP 172.16.1.100 is at 00:08:c7:da:08:82
...
110 3.085305 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.108? Tell 172.16.1.169
111 3.085555 00:08:c7:da:07:c9 00:01:02:48:52:18 ARP 172.16.1.108 is at 00:08:c7:da:07:c9
...
112 3.094234 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.109? Tell 172.16.1.169
113 3.094351 00:01:02:68:35:08 00:01:02:48:52:18 ARP 172.16.1.109 is at 00:01:02:68:35:08
...
144 3.405004 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.140? Tell 172.16.1.169
145 3.405134 00:01:02:3d:1a:4e 00:01:02:48:52:18 ARP 172.16.1.140 is at 00:01:02:3d:1a:4e
...
173 4.686587 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.168? Tell 172.16.1.169
174 4.687154 00:07:85:47:4f:99 00:01:02:48:52:18 ARP 172.16.1.168 is at 00:07:85:47:4f:99
...
260 7.550517 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.254? Tell 172.16.1.169
Use the first packet to identify the IP and Ethernet address of the PC running Ethereal:
172.16.1.169 - 00:01:02:48:52:18Next, identify the IP and Ethernet addresses of the hosts that responded to the ARP requests:
172.16.1.50 - 00:90:27:3c:66:e1 172.16.1.100 - 00:08:c7:da:08:82 172.16.1.108 - 00:08:c7:da:07:c9 172.16.1.109 - 00:01:02:68:35:08 172.16.1.140 - 00:01:02:3d:1a:4e 172.16.1.168 - 00:07:85:47:4f:99
Use your favorite graphics program (e.g. Visio) to create a network diagram.
Presto. Full network audit without even leaving your desk...gotta love it!
There are other network tools that will audit your network for you in a more automated way, but that would be cheating: LANguard Network Scanner
If you have difficulting figuring out what the function of each of these hosts is, use the IEEE OUI Search to lookup the vendor code for each of the about Ethernet addresses. Enter the first three bytes of each address, seperated by a hypen ("-") instead of a colon (":")
For example:
00-90-27 (hex) INTEL CORPORATION HF1-06 5200 N.E. ELAM YOUNG PARKWAY HILLSBORO OR 97124 UNITED STATES 00-08-C7 (hex) COMPAQ COMPUTER CORPORATION 20555 S.H. 249 HOUSTON TX 77070 UNITED STATES 00-01-02 (hex) 3COM CORPORATION 5400 Bayfront Plaza - MS: 4220 Santa Clara CA 95052 UNITED STATES 00-07-85 (hex) Cisco Systems Inc. 170 West Tasman Dr. San Jose CA 95134 UNITED STATES