Would a packet sniffer like tcpdump be effective for network host discovery and if so how effective is it compared to more active methods such as the infamous network mapper nmap?
Asked
Active
Viewed 159 times
2
schroeder
- 123,438
- 55
- 284
- 319
TheLinuxPro
- 23
- 2
2 Answers
2
Passive sniffing requires that the sniffing device is able to see traffic from the hosts that you want to discover. This is made difficult in a switched environment that segments traffic.
Active scanning, like nmap, reaches out to hosts to see if they are alive and overcomes the problems with passive sniffing.
schroeder
- 123,438
- 55
- 284
- 319
-
wont a tool like nmap cause the ids system to freak out – TheLinuxPro Mar 29 '19 at 12:50
-
but i dont know how common switches are in corporate networks – TheLinuxPro Mar 29 '19 at 12:51
-
Yes, a full nmap scan can trigger network defenses, but nmap has a lot of methods to stay under the radar. – schroeder Mar 29 '19 at 12:54
-
You don't need to know how common switches are. You need to know if there is a switch in the network you want to analyse. – schroeder Mar 29 '19 at 12:57
2
In the old days of dumb reapeater hubs you would have seen all the traffic with a sniffer, but those days are long gone. Pretty much everything is switches nowadays, so you won't see most of the unicast traffic.
However most systems will sooner or later send some broadcast or effectively broadcast traffic which you will see. So if you watch the network for long enough you should discover the IP/MAC of most devices on the network.
Peter Green
- 4,918
- 1
- 21
- 26
-
if i understand you correctly the plan is to get into a specefic part of a companies subnet use a sniffer there to map that part of the subnet and then move on to another subnet and repeat? – TheLinuxPro Apr 03 '19 at 17:53