7

I am looking for a command to discover all hosts on the same LAN segment from a host with unassigned IP, default gateway, and subnet. I know there's ping 255.255.255.255 but that operates at layer 3 and requires the sender have an IP address. Is there a simple Windows and Linux layer-2-only command to send a MAC broadcast FF:FF:FF:FF:FF:FF ?

Can this be done in 1 line, e.g. without arpping every possible IP address? I also tried the nmap broadcast-ping script but that doesn't work on my Linux hosts. )

Knowing the ARP packet structure helps.

T. Webster
  • 346
  • 2
  • 9
  • 20

1 Answers1

7

I'm not sure you can do what you're asking for. What message could you send to all hosts at FF:FF:FF:FF:FF:FF that would compel them to reply to you? ARPs get sent to the broadcast address, but only the correct host responds.

I'd use a combination of pinging the broadcast (192.168.0.255 and 255.255.255.255), the MAC address table on the switch, and a Wireshark tap on the gateway's interface to gather practically all of them.

There's no L2 message I know of that will require a response from all L2 hosts regardless of L3 config.

Keller G
  • 644
  • 3
  • 6
  • I had forgotten that `FF:FF:FF:FF:FF:FF` is already reserved for the ARP process initially when the dest. host MAC is unresolved. Does this then mean that it's impossible to find the MAC of any host with unassigned IP address, even if it sits on the same LAN Ethernet segment? – T. Webster Apr 11 '13 at 02:22
  • @T.Webster your network switch's MAC Table should supply that info as Keller G suggested – tegbains Apr 11 '13 at 04:29
  • @T.Webster Research layer-2 (Ethernet) protocols to find one that requires a response to broadcast (FF:FF:FF:FF:FF:FF) frames. I am unaware of one, since it would be easy to cause a broadcast storm within a collision domain. – bonsaiviking Apr 11 '13 at 15:28
  • Unless I misunderstand you, ARP is one. From the packet structure and ignorance of the algorithm, it appears that ARP in fact **adds** a condition to allow a response. The default behavior of layer-2 request/response design is an implied "deny all". – T. Webster Apr 12 '13 at 16:14
  • Yes, ARP compels a response from exactly one host -- the one that owns the IP address you're ARPing for. It does not compel all hosts on the broadcast domain to reply in one shot, however. – Keller G Apr 12 '13 at 16:58