This may be part of my problem. I have a list of IPs and MACs. There are multiple MACs tied to a single IP. I was under the impression this data was gathered from ARP tables from several machines across the network. I figured the reason I was seeing multiple MACs for a single IP was because the router responded for the IP behind it. Any other explanation for what I am seeing? jas > Jason, > > If the machines were behind a router you would not see anything for ARP. > At that point you are routing and not switching. True, you would see > an MAC address for the router but remember, the MAC address is part of > the frame and the IP address is part of the packet. Therefore the only > time that the two are tied together is on the local subnet. > > Any tool to map networks based on arp tables would have to have access > to the arp tables for each individual subnet. > > "If machines were behind a router the ARP tables would show multiple > IP's with the same MAC." No, the arp tables would only show the routers > IP address and the mac address of the router. A routing table would > show IP addresses "behind" the routers IP address (maybe, default routes > would throw this off). Routing tables are global while arp tables are > local to the subnet. > > Hope this helps. > > Kevin > ----- Original Message ----- > From: "Jason Lewis" <jlewisat_private> > To: <pen-testat_private> > Sent: Tuesday, February 04, 2003 6:36 PM > Subject: Using ARP to map a network > > >> I have searched and can't seem to find any tools to help map a network >> based on ARP tables. >> >> It seems to me, I could take ARP tables from several machines and >> build a network map. If machines were behind a router the ARP tables >> would show multiple IP's with the same MAC. With enough ARP tables, >> wouldn't I be able to build a map? >> >> Is my theory flawed? >> >> My goal is to do passive network mapping based on any local >> information I can obtain from computers or network devices. Anyone >> have any ideas? >> >> jas >> >> >> >> -------------------------------------------------------------------------- > -- >> This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) >> Service. For more information on SecurityFocus' SIA service which >> automatically alerts you to the latest security vulnerabilities please > see: >> https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 10:33:58 PST