How to find multiple servers on LAN using TCP socket
-
The only existing technique is port scanning i.e. connect to each and everyone of them. You may wish to use threads, as response time outs will slow you down.
Suppose I create a thread for every subnet. .then How many TCP sockets should i use (Per thread) ? My loop is like this - for(;;) {for(;;) {for(;;) {for(;;) { connect(MySocket, ...); } } } } then how do i decide socket's TIMEOUT if i use single socket per thread ?
Future Lies in Present. Manmohan Bishnoi
-
How can I find multiple servers Listening on our college LAN using TCP socket ? my loop will run from ip 192.168.100.0 to 192.168.120.255.
Future Lies in Present. Manmohan Bishnoi
Manmohan29 wrote:
from ip 192.168.100.0 to 192.168.120.255
If you simply want to find all connected hardware addresses in this range then I would suggest using ARP[^]. The IP Helper function SendARP Function[^] is very easy to use and will quickly tell you if there is a MAC address associated with the IP. Once you have determined there is a networked device on the other side you can begin your TCP negotiation. Best Wishes, -David Delaune
-
Manmohan29 wrote:
from ip 192.168.100.0 to 192.168.120.255
If you simply want to find all connected hardware addresses in this range then I would suggest using ARP[^]. The IP Helper function SendARP Function[^] is very easy to use and will quickly tell you if there is a MAC address associated with the IP. Once you have determined there is a networked device on the other side you can begin your TCP negotiation. Best Wishes, -David Delaune
You can't arp a subnet over a router.
-
Suppose I create a thread for every subnet. .then How many TCP sockets should i use (Per thread) ? My loop is like this - for(;;) {for(;;) {for(;;) {for(;;) { connect(MySocket, ...); } } } } then how do i decide socket's TIMEOUT if i use single socket per thread ?
Future Lies in Present. Manmohan Bishnoi
I don't know, I've never done it :-) I suppose it will depend on the number that answer vs the number that do not answer. Trial and error, and selectable parameters are your friend here... Oh, and I hope your targeting a specific port because scanning 5000 hosts * 65535 ports is going to take a long time.
-
You can't arp a subnet over a router.
-
And you think a lan with 5100 potential hosts has no hubs and switches? At home I can't even arp the server in the next room because there's a switch in between.
-
And you think a lan with 5100 potential hosts has no hubs and switches? At home I can't even arp the server in the next room because there's a switch in between.
Hi Michael,
Michel Godfroid wrote:
At home I can't even arp the server in the next room because there's a switch in between.
Then perhaps you should consider replacing your hardware. If ARP packets cannot pass through your switch then how does your networked devices communicate? Best Wishes, -David Delaune
-
Hi Michael,
Michel Godfroid wrote:
At home I can't even arp the server in the next room because there's a switch in between.
Then perhaps you should consider replacing your hardware. If ARP packets cannot pass through your switch then how does your networked devices communicate? Best Wishes, -David Delaune
This is really off-topic, but allow me this short explanation: ARP is a layer 2 protocol (the MAC layer in Ethernet technologies). It establishes the relationship between layer 2 (Media Access Control) and layer 3 (the network layer in the OSI model, or the Internet Layer (typically IP)) The only way you will have an arp entry in your arp cache is as follows: 1) you issue a broadcast on your (IP) subnet, requesting the owner of a specific IP address to tell you it's mac address (or the mac address it can reach). The telecommunication equipment which may sit in between you and the destination will reply with either it's own mac address(if it knows it can switch your packets to the final destination), or with the real MAC address of the equipment, if it's a dumb component like a hub, or the final (directly connected) component in the chain. 2) the other component has queried you (probably through broadcast) for your address. In that case the Arp cache will associate the querying MAC address with the querying IP address. The whole point of modern communication equipment, as opposed to old stuff (like hubs) is to limit the number of broadcasts and packet traffic on segments (segments, not subnets). Broadcasts are limited to a segment, and traffic is directed on the wire. With some modern intelligent switches, it is even possible to have duplicate MAC addresses on the network, as long they are not in the same segment. (I wouldn't recommend it though...) So in the context of this discussion: Walking the arp table, you'll miss all the hosts which are on a different subnet (you still need routers for making subnets), you may miss hosts which are on a different segment, and you'll miss hosts on your own segment if you haven't contacted them before their arp entry became stale. Otherwise, it's a fine technique.
-
This is really off-topic, but allow me this short explanation: ARP is a layer 2 protocol (the MAC layer in Ethernet technologies). It establishes the relationship between layer 2 (Media Access Control) and layer 3 (the network layer in the OSI model, or the Internet Layer (typically IP)) The only way you will have an arp entry in your arp cache is as follows: 1) you issue a broadcast on your (IP) subnet, requesting the owner of a specific IP address to tell you it's mac address (or the mac address it can reach). The telecommunication equipment which may sit in between you and the destination will reply with either it's own mac address(if it knows it can switch your packets to the final destination), or with the real MAC address of the equipment, if it's a dumb component like a hub, or the final (directly connected) component in the chain. 2) the other component has queried you (probably through broadcast) for your address. In that case the Arp cache will associate the querying MAC address with the querying IP address. The whole point of modern communication equipment, as opposed to old stuff (like hubs) is to limit the number of broadcasts and packet traffic on segments (segments, not subnets). Broadcasts are limited to a segment, and traffic is directed on the wire. With some modern intelligent switches, it is even possible to have duplicate MAC addresses on the network, as long they are not in the same segment. (I wouldn't recommend it though...) So in the context of this discussion: Walking the arp table, you'll miss all the hosts which are on a different subnet (you still need routers for making subnets), you may miss hosts which are on a different segment, and you'll miss hosts on your own segment if you haven't contacted them before their arp entry became stale. Otherwise, it's a fine technique.
Hi Michael, You never answered my question: If ARP packets are unable to traverse across your switch then how are your network devices communicating?
Michel Godfroid wrote:
The only way you will have an arp entry in your arp cache
I am not sure why you are writing all of this gibberish. It is not even completely correct. Why do you feel the need to debate? Best Wishes, -David Delaune
-
Hi Michael, You never answered my question: If ARP packets are unable to traverse across your switch then how are your network devices communicating?
Michel Godfroid wrote:
The only way you will have an arp entry in your arp cache
I am not sure why you are writing all of this gibberish. It is not even completely correct. Why do you feel the need to debate? Best Wishes, -David Delaune
My only point is that you cannot use arp to DISCOVER servers on the Internet layer. They will only be there if you've discovered them before, and anyway servers on other subnets will never be there. You discover an ARP entry by querying an IP address, not the other way round...
-
My only point is that you cannot use arp to DISCOVER servers on the Internet layer. They will only be there if you've discovered them before, and anyway servers on other subnets will never be there. You discover an ARP entry by querying an IP address, not the other way round...
Hi, As I stated in my second post: The author of the question clearly states that he is attempting to scan the LAN for network devices. ARP is a very good candidate for scanning the local network for hardware addresses. In fact this is how the Microsoft NDIS layer works... the first thing TCPIP.SYS does is send an ARP broadcast if there is no entry in the table. Here on codeproject.com we are all experienced developers sharing our experience and knowledge for free. In my opinion it is not very good etiquette to attack other posters who are assisting. Best Wishes, -David Delaune P.S. You still have not answered my question. And its because ARP broadcasts DO pass through your switch.
-
Hi, As I stated in my second post: The author of the question clearly states that he is attempting to scan the LAN for network devices. ARP is a very good candidate for scanning the local network for hardware addresses. In fact this is how the Microsoft NDIS layer works... the first thing TCPIP.SYS does is send an ARP broadcast if there is no entry in the table. Here on codeproject.com we are all experienced developers sharing our experience and knowledge for free. In my opinion it is not very good etiquette to attack other posters who are assisting. Best Wishes, -David Delaune P.S. You still have not answered my question. And its because ARP broadcasts DO pass through your switch.
Fixed the low votes on your posts (and marked the query as answered). PS: It seem to work on my LAN and I'm in agreement with you.
“Follow your bliss.” – Joseph Campbell
-
Hi, As I stated in my second post: The author of the question clearly states that he is attempting to scan the LAN for network devices. ARP is a very good candidate for scanning the local network for hardware addresses. In fact this is how the Microsoft NDIS layer works... the first thing TCPIP.SYS does is send an ARP broadcast if there is no entry in the table. Here on codeproject.com we are all experienced developers sharing our experience and knowledge for free. In my opinion it is not very good etiquette to attack other posters who are assisting. Best Wishes, -David Delaune P.S. You still have not answered my question. And its because ARP broadcasts DO pass through your switch.
Sure, the ARP broadcast is there - to find the MAC address of the DHCP or BOOTP server in order to get an IP address if auto address configuration is enabled. - to detect an available address if no DHCP or bootp servers are there, and automatic address assignment is in effect (169.254/16 network) - to see if the assigned address is already in use on the network. - if netbios is enabled, to get at the network neighbourhood machines (netbios is basically a layer 2 protocol) - to find a master browser, and start the master browser election - to find the default gateway Otherwise I'm a bit bothered by your definition of LAN environment: can a LAN not include routers? In that case my home environment does not qualify as a LAN. Each virtual machine host includes a router to effect separation between in host-traffic and LAN Traffic. Any corporate environment, even in the 192.168 subrange will include routers, just because it's usually bad practice to put more than a couple of hundred hosts on a broadcast segment (and the default netmask is /24). I use a 10/8 network at home, which I divide in /24 networks because of - Megalomania - I can't be bothered to calculate subnets which are not a multiple of 8 :-) I suspects network admins out there are as lazy as I am.
modified on Monday, May 10, 2010 3:14 PM
-
Fixed the low votes on your posts (and marked the query as answered). PS: It seem to work on my LAN and I'm in agreement with you.
“Follow your bliss.” – Joseph Campbell
Ouch... voting up a user who gives wrong technical advice is not a good idea! There is a difference in LANs that consist of one subnet and those with multiple subnets (where ARP traffic will not be forwarded but IP traffic will be) as explained by Michel Godfroid.
Chat in Europe :java: Now with 24% more Twitter
modified on Monday, May 10, 2010 3:42 PM
-
Fixed the low votes on your posts (and marked the query as answered). PS: It seem to work on my LAN and I'm in agreement with you.
“Follow your bliss.” – Joseph Campbell
Hi Rajesh, Thanks for the support. To be fair the recommendation made by Michel Godfroid is not incorrect. I was simply giving an alternative and optimized solution for scanning a local network. Allow me to give a more complete explanation. Here is an exercise for the readers: 1.) Download a packet sniffer such as WireShark[^] 2.) Follow the advice Michel Godfroid gave and scan the entire local subnet. Monitor the Wireshark output. Here is what you will see: 1.) You will first see an ARP broadcast generated by TCPIP.SYS for each attempted connection to a local IP address (if not already cached). If there is something there it will respond with an ARP reply. 2.) If a network device is on the other side you will then see the TCP handshake and connection attempt. If there is no device there winsock will return a Winsock Error Code[^]. The response I gave was cutting out the TCP protocol from the equation... Since we know the NDIS layer TCPIP.SYS will ARP for the address anyway... when scanning the local subnet. Best Wishes, -David Delaune
-
Ouch... voting up a user who gives wrong technical advice is not a good idea! There is a difference in LANs that consist of one subnet and those with multiple subnets (where ARP traffic will not be forwarded but IP traffic will be) as explained by Michel Godfroid.
Chat in Europe :java: Now with 24% more Twitter
modified on Monday, May 10, 2010 3:42 PM
Hi Moak,
Moak wrote:
There is a difference in LANs that consist of one subnet and those with multiple subnets (where APR traffic will not be forwarded but IP traffic will be) as explained by Michel Godfroid.
This is not correct. The switch *will* forward the ARP broadcast. The network device on the other side however will not respond if it is on another subnet. Best Wishes, -David Delaune
-
Hi Rajesh, Thanks for the support. To be fair the recommendation made by Michel Godfroid is not incorrect. I was simply giving an alternative and optimized solution for scanning a local network. Allow me to give a more complete explanation. Here is an exercise for the readers: 1.) Download a packet sniffer such as WireShark[^] 2.) Follow the advice Michel Godfroid gave and scan the entire local subnet. Monitor the Wireshark output. Here is what you will see: 1.) You will first see an ARP broadcast generated by TCPIP.SYS for each attempted connection to a local IP address (if not already cached). If there is something there it will respond with an ARP reply. 2.) If a network device is on the other side you will then see the TCP handshake and connection attempt. If there is no device there winsock will return a Winsock Error Code[^]. The response I gave was cutting out the TCP protocol from the equation... Since we know the NDIS layer TCPIP.SYS will ARP for the address anyway... when scanning the local subnet. Best Wishes, -David Delaune
Randor wrote:
To be fair the recommendation made by Michel Godfroid is not incorrect.
I realise that, and actually his answer carries my 5 vote!
“Follow your bliss.” – Joseph Campbell
-
Ouch... voting up a user who gives wrong technical advice is not a good idea! There is a difference in LANs that consist of one subnet and those with multiple subnets (where ARP traffic will not be forwarded but IP traffic will be) as explained by Michel Godfroid.
Chat in Europe :java: Now with 24% more Twitter
modified on Monday, May 10, 2010 3:42 PM
Moak wrote:
There is a difference in LANs that consist of one subnet and those with multiple subnets (where APR traffic will not be forwarded but IP traffic will be) as explained by Michel Godfroid.
While the OP hasn't been particularly clear about his setup, it's hard for someone to guess and answer. While Michel's answer is correct (and carries my "good answer" vote), I see very little reason to lynch-vote David's post. I'd leave it to the OP to decide if it were wrong technical advice in this case by testing the suggestions offered in his setup, as he's not provided sufficient details for the responders.
“Follow your bliss.” – Joseph Campbell
-
Sure, the ARP broadcast is there - to find the MAC address of the DHCP or BOOTP server in order to get an IP address if auto address configuration is enabled. - to detect an available address if no DHCP or bootp servers are there, and automatic address assignment is in effect (169.254/16 network) - to see if the assigned address is already in use on the network. - if netbios is enabled, to get at the network neighbourhood machines (netbios is basically a layer 2 protocol) - to find a master browser, and start the master browser election - to find the default gateway Otherwise I'm a bit bothered by your definition of LAN environment: can a LAN not include routers? In that case my home environment does not qualify as a LAN. Each virtual machine host includes a router to effect separation between in host-traffic and LAN Traffic. Any corporate environment, even in the 192.168 subrange will include routers, just because it's usually bad practice to put more than a couple of hundred hosts on a broadcast segment (and the default netmask is /24). I use a 10/8 network at home, which I divide in /24 networks because of - Megalomania - I can't be bothered to calculate subnets which are not a multiple of 8 :-) I suspects network admins out there are as lazy as I am.
modified on Monday, May 10, 2010 3:14 PM
Hi Michel, As I stated... your advice is not incorrect. I simply gave an alternative solution for scanning the local subnet for networked devices. Lets have a beer and work on calculating subnets which are not a multiple of 8. :) Best Wishes, -David Delaune
-
Hi Moak,
Moak wrote:
There is a difference in LANs that consist of one subnet and those with multiple subnets (where APR traffic will not be forwarded but IP traffic will be) as explained by Michel Godfroid.
This is not correct. The switch *will* forward the ARP broadcast. The network device on the other side however will not respond if it is on another subnet. Best Wishes, -David Delaune
Have you considered network topologies with L3 routers, a campus LAN must not only consist of L2 hubs/switches?
Chat in Europe :java: Now with 24% more Twitter