Active Hosts in LAN and Terminal/Geekttool

[atoxx]

Hi all, i am searching for a way to get all active Devices in my LAn via Terminal for usage with Geektool/ruby, i tried already "arp -a" but it shows just 2 devices, i cannot figure out how to get all connected devices, can someone help?


thx in advance

[SirDice]

ARP only shows the devices that are in the same broadcast domain (aka subnet).

You'll need to ping all IP addresses, if something responds it's a host. If it doesn't respond it may be firewalled.

Another option might be to look at your DHCP server, you should be able to get a list of active leases. But this obviously doesn't have the machines that use a static IP.

Basically there isn't a surefire way of detecting. Keeping proper administration helps (asset management).

[fracai]

Ditto on pinging. If your network is in the 192.168.1.* range, you could use the following to ping everything.

Code:

ping -c5 192.168.1.255

That will send 5 packets to every device. You could probably even hit 192.168.255.255 without to much issue. You of course won't get any responses from devices that are set to not respond to pings (there's an option in the Mac Firewall for this and I'm not sure if iOS devices will respond either).

[SirDice]

You also won't get devices that don't respond to a broadcast ping (even if they do respond to a directed ping). It's a rather large security risk (smurf attack).

[atoxx]

this is odd, so i push this:

ping -c5 192.168.178.255

it reports me, 5 devices were found, but listed only by IP, after this, i do an

arp -a

again, now it lists 4 devices but just 2 with names, the other 2 are a ?, and the best is, the iMac i start the Command is not kisted with ARP

[SirDice]

Quote: Originally Posted by atoxx the iMac i start the Command is not kisted with ARP

It doesn't need to ARP as it's the same machine. Hence it doesn't show up in the ARP table.

[atoxx]

well, this is logical sure, but hell, is it quite impossible to list all active devices on my current WLAN Network?

I have several ppl joining my WLAN with their Smartphones visiting us, i just would like to make a list visible with Geektool to show me all connected Devices to my Network, refreshed every mintue or so, i thought this is seems logical for security reasons, i thought also, while Mac bases on Linux Code, ppl would use such stuff, and not make this a complicated part as it is now here, a simple list of all connected Devices to a Network, is this so enological usage issue?

[fracai]

When I want to see what devices are on my network, I check the "Devices" page on my router.

If you add the devices to your router's static DHCP table you'll even be able to keep better track of them, possibly even get named DNS entries. I suspect the reason that some of the devices show up as '?' is because they're not known to whatever is supplying DNS info on your network.

It's not just that this is complicated, it's that the information you're looking for may not exist. There isn't necessarily a universal protocal that every device implements that broadcasts the device name to every other networked device. If they're all Apple devices, they will all probably be broadcasting Bonjour data though. Bonjour Browser can show you that. You may also be able to use the command line to query this data; see this hint.

[SirDice]

Quote: Originally Posted by atoxx while Mac bases on Linux Code,

That's not entirely correct. I feel I have to expressly state that FreeBSD is NOT a Linux (I am a moderator on http://forums.freebsd.org). Some parts of FreeBSD were attached to a Mach microkernel to create the OS-X kernel XNU. FreeBSD descended from the original AT&T UNIX source code. The Linux kernel was written from scratch to be UNIX-like. Both may appear the same but they are quite different. Linux is open source but not all open source is Linux. I really wished people would stop making that assumption.

Quote: ppl would use such stuff, and not make this a complicated part as it is now here, a simple list of all connected Devices to a Network, is this so enological usage issue?

I thought I explained it reasonably well. Keep in mind I have 20+ years professional experience in IT and networking. I'm sure I would have seen something that would do what you are asking. If you get more networking experience and start to understand how exactly TCP/IP works you'll come to the same conclusion.

[sojourner]

That's so weird. I would imagine that what the OP is asking is something that is needed at some point in time by most. How come no tool has been created to do something like this?

[hayne]

I think part of the answer is that it isn't completely clear what the OP is wanting.
There are 3rd-party utilities that will show what devices are connected to a network - if that's what is being asked for.

[atoxx]

Well there are already 3rd Party Apps doing this, but the problem is the results are only available inside this Apps, if you want to post process this logs with ruby or Geektool, you are not able to do this, thats why i wanted to ask for a terminal only solution, but this is not possible it seems

[fracai]

I don't think you're going to find anything better than ping and arp can provide (maybe nmap could provide a bit more), unless you go to the device that is managing the network (ie. the router).

[trevor]

Step 1, install nmap. I use fink, but there are many methods to get nmap.

Step 2, use the following command, with the IP address changed to look at your particular subnet range:

sudo nmap -PR -sP 192.168.1.1/24

Trevor

[SirDice]

Same 'problem' as with the previous ping solutions, they don't work when the clients are firewalled.

[trevor]

nmap has a lot of options, and is far far more powerful than the ping tool. From the man page for nmap:

Code:

HOST DISCOVERY
       One of the very first steps in any network reconnaissance mission is to
       reduce a (sometimes huge) set of IP ranges into a list of active or
       interesting hosts. Scanning every port of every single IP address is slow
       and usually unnecessary. Of course what makes a host interesting depends
       greatly on the scan purposes. Network administrators may only be
       interested in hosts running a certain service, while security auditors may
       care about every single device with an IP address. An administrator may be
       comfortable using just an ICMP ping to locate hosts on his internal
       network, while an external penetration tester may use a diverse set of
       dozens of probes in an attempt to evade firewall restrictions.

       Because host discovery needs are so diverse, Nmap offers a wide variety of
       options for customizing the techniques used. Host discovery is sometimes
       called ping scan, but it goes well beyond the simple ICMP echo request
       packets associated with the ubiquitous ping tool. Users can skip the ping
       step entirely with a list scan (-sL) or by disabling ping (-Pn), or engage
       the network with arbitrary combinations of multi-port TCP SYN/ACK, UDP,
       SCTP INIT and ICMP probes. The goal of these probes is to solicit
       responses which demonstrate that an IP address is actually active (is
       being used by a host or network device). On many networks, only a small
       percentage of IP addresses are active at any given time. This is
       particularly common with private address space such as 10.0.0.0/8. That
       network has 16 million IPs, but I have seen it used by companies with less
       than a thousand machines. Host discovery can find those machines in a
       sparsely allocated sea of IP addresses.

       If no host discovery options are given, Nmap sends an ICMP echo request, a
       TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP
       timestamp request. (For IPv6, the ICMP timestamp request is omitted
       because it is not part of ICMPv6.) These defaults are equivalent to the
       -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for
       IPv4) and Neighbor Discovery.  (for IPv6) scans which are used for any
       targets on a local ethernet network. For unprivileged Unix shell users,
       the default probes are a SYN packet to ports 80 and 443 using the connect
       system call..  This host discovery is often sufficient when scanning local
       networks, but a more comprehensive set of discovery probes is recommended
       for security auditing.

       The -P* options (which select ping types) can be combined. You can
       increase your odds of penetrating strict firewalls by sending many probe
       types using different TCP ports/flags and ICMP codes. Also note that
       ARP/Neighbor Discovery (-PR).  is done by default against targets on a
       local ethernet network even if you specify other -P* options, because it
       is almost always faster and more effective.

       By default, Nmap does host discovery and then performs a port scan against
       each host it determines is online. This is true even if you specify
       non-default host discovery types such as UDP probes (-PU). Read about the
       -sn option to learn how to perform only host discovery, or use -Pn to skip
       host discovery and port scan all target hosts. The following options
       control host discovery:

...and of course it goes on at great length from there.

Trevor

[sojourner]

Maybe Fing can help.

[SirDice]

Quote: Originally Posted by trevor nmap has a lot of options, and is far far more powerful than the ping tool.

Yes, but one of the 'features' of a firewalled client is that it doesn't respond to anything you send to it. That includes everything you throw at it with nmap.

[fracai]

Quote: Originally Posted by SirDice Yes, but one of the 'features' of a firewalled client is that it doesn't respond to anything you send to it. That includes everything you throw at it with nmap.

Yeah, but almost every machine is going to have at least a few open ports and nmap can scan those looking for some kind of response. For example, a machine might not respond to ping and have ports firewalled, but if it is running a web server or even just allows SSH access, it has to respond on those. nmap can look at those responses and identify the system architecture by the protocol version that is used in the response. I suppose you could indeed have a machine that isn't running with any open ports. Even then, depending on the network, a passive listener could pick up packets and gradually build up a list of communicating devices. That brings up tools like 'ngrep'.

Also, thanks for the link to Fring. That looks interesting and I definitely want to give it a look.

[fracai]

So, Fing is a really nice tool. The iOS app identified everything on my network, except for the thermostat, and even grabbed hostnames and MACs. I'm sure most of this is coming from the router's DNS. Manually adding the thermostats IP did bring up the hostname, so I bet there's a way to run an expanded search that scans every IP instead of just observing what's there.

I had a bit more trouble with the command line tool, it wants to be installed under /usr and has a mix of script-coded and hard-coded paths, so it's not possible to install it elsewhere. I'm sure it'd be just as functional, but I haven't tested it yet.