One ping, one ping only.

The basis of this article  is based on the dialog from the movie known as "The hunt for the Red October". In the movie, one of the key lines was I think "One ping and one ping only". Pinging was a method by submarines equipped with sonar to detect what is around them. Normally you would use more than one ping. In computing we also have a program called ping that does the same thing to detect what is around on the network. There is a very powerful program called nmap that usually automates such activity. That usually takes some kind of administrative power to implement. We will be using a simple linux batch file (could be easily converted to other platforms) to detect what is around us. This tool is perfect for the home network. It will probably not detect what is known as "Man in the middle devices", but at least you can see the visible systems on your network.

Note a quick way to see who has been active on the network with you is to ping your netmask:
for a 192.168.1.x network

$ ping -c 2 -b 192.168.1.0

$ sudo arp -a

The code.
pingall.sh: (do not forget "chmod +x pingall.sh)

[code]
for i in {1..254}
do
ping 192.168.1.$i -c1 -w1 -v | grep "icmp_seq=1"
done
[/code]

If you have a different network, you will have to change "192.168.1" accordingly, here again we are using the good old "grep" command to extract data from the return stream. it is our sonar scope. Let's run it.

$ ./pingall.sh
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.852 ms
64 bytes from 192.168.1.31: icmp_seq=1 ttl=64 time=0.260 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=255 time=2.75 ms
64 bytes from 192.168.1.109: icmp_seq=1 ttl=64 time=0.261 ms
64 bytes from 192.168.1.115: icmp_seq=1 ttl=64 time=0.064 ms
$ _

Ok, there are five devices on the network. We need to know more. There is what is call DNS or "Domain naming service". We can use the router to tell us what the ipaddresses maybe are known as.

The code.

nslookup.sh: (Do not forget to make it executable with chmod +x nslookup.sh")

[code]
for i in {1..254}
do
nslookup 192.168.1.$i |grep name
done
[/code]

Let's run it.
$ ./nslookup.sh
1.1.168.192.in-addr.arpa name = my_network.
10.1.168.192.in-addr.arpa name = router2.
20.1.168.192.in-addr.arpa name = router3.
31.1.168.192.in-addr.arpa name = oesrvr1.
115.1.168.192.in-addr.arpa name = oesrvr104
$_

Notice the ipadresses are backwards, but we still can identify units on the network from the list. Two devices show up known as router2 and router3. I know that they are not connected to the network at this time. They just have reserved names in the router. The unit at 99 is actually the print server and should have a reserved name in the router, I can take care of that later. 109 is a temp machine I have set up to test some software. Now if there were any unknown numbers, they would need to be investigated immediately. Again you would need to change "192.168.1." to work with your network.

There you are, two simple tools to check on your network.

Update:
Yet another way to look at the network.

$ for d in {1..255} ;do rev=$( dig +short -x 192.168.1.$d ) ; echo "$d $rev" ; done

1 Main-router.
2
3
...
...
29
30 nas.
31 oesrvr1.
32 oeorgan1.
33 beaglebone.
34
...
...
97
98
99 printer.
100
...
...
110
111 typo1.
112
113
114
115 oedt01.
116
...
...
122 chumby.
123
124
125 oelt02.
126 archie.
127
128
...
...
254
255


---------------------------------------------------------------------

Miscellaneous:

See if the website is alive.

$ ping missingwebsite.com

$ ping www.instructables.com
PING prod.fastly.net (199.102.47.72) 56(84) bytes of data.
64 bytes from 199.102.47.72: icmp_seq=1 ttl=45 time=51.5 ms
64 bytes from 199.102.47.72: icmp_seq=2 ttl=45 time=50.1 ms
^C64 bytes from 199.102.47.72: icmp_seq=3 ttl=45 time=49.0 ms

--- prod.fastly.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 10162ms
rtt min/avg/max/mdev = 49.092/50.269/51.552/1.007 ms


Find out if just the internet tubes are down by stepping through all the internet routers.

$ traceroute missingwebsite.com

...
...
9  te0-0-0-3.ccr21.dfw01.atlas.cogentco.com (154.54.7.45)  39.589 ms te0-0-0-4.ccr21.dfw01.atlas.cogentco.com (154.54.6.57)  41.533 ms te0-1-0-4.ccr21.dfw01.atlas.cogentco.com (154.54.6.65)  42.982 ms
10  te0-1-0-1.ccr21.mci01.atlas.cogentco.com (154.54.46.201)  44.677 ms te0-2-0-3.ccr21.mci01.atlas.cogentco.com (154.54.5.170)  46.383 ms te0-0-0-1.ccr21.mci01.atlas.cogentco.com (154.54.46.185)  48.315 ms
11  te0-3-0-2.ccr21.ord01.atlas.cogentco.com (154.54.2.190)  49.768 ms  51.418 ms  52.621 ms
12  te3-8.ccr01.dsm01.atlas.cogentco.com (154.54.0.78)  44.561 ms  46.309 ms  47.732 ms
13  38.104.184.50 (38.104.184.50)  54.185 ms  55.582 ms  49.107 ms
14  edge5-usshc.wikia.net (208.68.167.146)  50.457 ms  52.333 ms  53.778 ms
15  199.102.47.58 (199.102.47.58)  55.999 ms  57.643 ms  59.092 ms
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *^C

Routers are playing possum when you see the asterisks.

Domain name servers can help also.

$ dig missingwebsite.com

$ dig www.instructables.com

; <<>> DiG 9.7.0-P1 <<>> www.instructables.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40751
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.instructables.com.        IN    A

;; ANSWER SECTION:
www.instructables.com.    2177    IN    CNAME    a.prod.fastly.net.
a.prod.fastly.net.    22832    IN    CNAME    prod.fastly.net.
prod.fastly.net.    16    IN    A    199.102.47.72
prod.fastly.net.    16    IN    A    199.102.47.71

;; Query time: 14 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Nov 21 21:14:36 2011
;; MSG SIZE  rcvd: 116

$ nslookup mussingwebsite.com

$ nslookup www.instructables.com
Server:        1.1.1.1
Address:    1.1.1.1#20120548

Non-authoritative answer:
www.instructables.com    canonical name = a.prod.fastly.net.
a.prod.fastly.net    canonical name = prod.fastly.net.
Name:    prod.fastly.net
Address: 199.102.47.71
Name:    prod.fastly.net
Address: 199.102.47.72

-----------------------------------------------------------------
pingall.sh improved (you should be able to pick the network now.  i.e.: pingall.sh 2

if [ -z "$1" ]
then
   let n=1
else
   let n=$1
fi
echo "You are using network $n."

for i in {1..254}
do
 ping 192.168.$n.$i -c1 -w1 -v | grep "icmp_seq=1"
done


nslookup improved:
if [ -z "$1" ]
then
   let n=1
else
   let n=$1
fi
echo "You are using network $n." for i in {1..254}
do
nslookup 192.168.$n.$i |grep name
done

-----------------------------------------------------------------------------
Extra:

Simple port scan
Usage portscan.sh host 1stport lastport


$ ./portscan.sh  oesrvr1  1  1024
“22 open”
“25 open”
“80 open”
“110 open”
“111 open”
“143 open”
“993 open”
“995 open”



#!/bin/bash

IP=$1
firstport=$2
lastport=$3

function portscan

{
for ((counter=$firstport; counter<=$lastport; counter++))

do
 (echo >/dev/tcp/$IP/$counter) > /dev/null 2>&1 && echo “$counter open”
done
}

portscan


# end of code

-----

One neat command is arp-scan, but it requires admin rights.

$ sudo arp-scan  --localnet
[sudo] password for eddie:
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1    00:00:00:00:00:00    Buffalo Inc.
192.168.1.32    00:00:00:00:00:00    DELL COMPUTER CORPORATION
192.168.1.99    00:00:00:00:00:00    Cellvision Systems, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.741 seconds (147.04 hosts/sec). 3 responded
$

Comments

Popular posts from this blog

Guiless?

MSOffice vs Libreoffice

Raspberry pi zero.