我的逻辑是这样的
- 获取子网的定义
- 用于
nmap扫描子网中的每个项目以填充 arp 缓存 - 使用该
/usr/sbin/arp工具转储 arp 缓存 - 解析 arp 缓存以获取
(IP-address, MAC-address)子网上所有内容的对。
这通常工作得相当好,但我现在遇到的情况是这不起作用。
假设我位于以下子网中10.199.200.0/21
我跑nmap
sudo /usr/bin/nmap -sP --send-ip -n 10.199.200.0/21
这显示了它找到的所有设备
Starting Nmap 7.01 ( https://nmap.org ) at 2018-08-09 15:45 MDT
Nmap scan report for 10.199.200.1
Host is up (0.00066s latency).
MAC Address: FC:AA:14:XX:XX:XX(Giga-byte Technology)
Nmap scan report for 10.199.200.2
Host is up (0.00038s latency).
MAC Address: C2:EA:E4:XX:XX:XX(Unknown)
Nmap scan report for 10.199.200.4
Host is up (0.00045s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.5
Host is up (0.00041s latency).
MAC Address: 00:1A:64:XX:XX:XX(IBM)
Nmap scan report for 10.199.200.6
Host is up (0.0010s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.8
Host is up (0.00027s latency).
MAC Address: 40:F2:E9:XX:XX:XX(IBM)
Nmap scan report for 10.199.200.9
Host is up (0.00061s latency).
MAC Address: 1C:98:EC:XX:XX:XX(Unknown)
Nmap scan report for 10.199.200.10
Host is up (0.00038s latency).
MAC Address: D0:67:26:XX:XX:XX(Unknown)
Nmap scan report for 10.199.200.11
Host is up (0.00075s latency).
MAC Address: 7C:AD:74:XX:XX:XX(Cisco Systems)
Nmap scan report for 10.199.200.12
Host is up (0.00053s latency).
MAC Address: 68:72:51:XX:XX:XX(Ubiquiti Networks)
Nmap scan report for 10.199.200.13
Host is up (0.00061s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.15
Host is up (0.00098s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.16
Host is up (0.00088s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.18
Host is up (0.0017s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.19
Host is up (0.00080s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.20
Host is up (0.00076s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.22
Host is up (0.00078s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.23
Host is up (0.0011s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.24
Host is up (0.0010s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.26
Host is up (0.00058s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.27
Host is up (0.00091s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.28
Host is up (0.00074s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.29
Host is up (0.0011s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.30
Host is up (0.00089s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.31
Host is up (0.00060s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
Nmap scan report for 10.199.200.32
Host is up (0.00096s latency).
MAC Address: 00:50:56:XX:XX:XX(VMware)
但是当我立即尝试转储 arp 缓存时
/usr/sbin/arp
我只得到这个,之前扫描中显示的许多项目都丢失了
Address HWtype HWaddress Flags Mask Iface
10.199.200.179 (incomplete) enp2s0
10.199.202.172 (incomplete) enp2s0
10.199.205.70 (incomplete) enp2s0
10.199.206.73 ether f4:5c:89:XX:XX:XX C enp2s0
10.199.202.42 (incomplete) enp2s0
10.199.202.245 (incomplete) enp2s0
10.199.205.74 (incomplete) enp2s0
10.199.200.2 ether c2:ea:e4:XX:XX:XX C enp2s0
10.199.205.21 (incomplete) enp2s0
10.199.207.193 (incomplete) enp2s0
10.199.203.231 (incomplete) enp2s0
10.199.203.162 (incomplete) enp2s0
10.199.204.181 (incomplete) enp2s0
10.199.207.79 (incomplete) enp2s0
10.199.205.94 (incomplete) enp2s0
10.199.203.109 (incomplete) enp2s0
10.199.206.44 (incomplete) enp2s0
10.199.204.51 (incomplete) enp2s0
10.199.200.209 (incomplete) enp2s0
10.199.206.239 (incomplete) enp2s0
10.199.203.235 (incomplete) enp2s0
10.199.206.170 (incomplete) enp2s0
10.199.201.69 (incomplete) enp2s0
10.199.205.98 (incomplete) enp2s0
10.199.203.113 (incomplete) enp2s0
10.199.200.229 (incomplete) enp2s0
10.199.206.190 (incomplete) enp2s0
10.199.203.186 (incomplete) enp2s0
10.199.200.99 (incomplete) enp2s0
10.199.205.118 (incomplete) enp2s0
10.199.201.20 (incomplete) enp2s0
10.199.207.34 (incomplete) enp2s0
10.199.203.192 (incomplete) enp2s0
10.199.205.252 (incomplete) enp2s0
10.199.200.180 (incomplete) enp2s0
10.199.202.165 (incomplete) enp2s0
10.199.206.66 (incomplete) enp2s0
10.199.205.122 (incomplete) enp2s0
10.199.205.197 (incomplete) enp2s0
10.199.203.212 (incomplete) enp2s0
10.199.205.128 (incomplete) enp2s0
10.199.203.151 (incomplete) enp2s0
10.199.206.139 ether f4:5c:89:XX:XX:XX C enp2s0
10.199.200.184 (incomplete) enp2s0
10.199.206.86 (incomplete) enp2s0
10.199.202.116 (incomplete) enp2s0
10.199.207.127 (incomplete) enp2s0
10.199.206.17 (incomplete) enp2s0
10.199.201.44 (incomplete) enp2s0
10.199.202.120 (incomplete) enp2s0
10.199.206.37 (incomplete) enp2s0
10.199.204.52 (incomplete) enp2s0
10.199.205.221 (incomplete) enp2s0
10.199.206.224 (incomplete) enp2s0
10.199.200.149 (incomplete) enp2s0
10.199.206.163 (incomplete) enp2s0
10.199.205.91 (incomplete) enp2s0
10.199.206.41 (incomplete) enp2s0
10.199.202.207 (incomplete) enp2s0
10.199.205.225 (incomplete) enp2s0
10.199.206.244 (incomplete) enp2s0
10.199.203.179 (incomplete) enp2s0
10.199.201.66 (incomplete) enp2s0
10.199.205.111 (incomplete) enp2s0
10.199.200.39 (incomplete) enp2s0
10.199.207.27 (incomplete) enp2s0
10.199.200.226 (incomplete) enp2s0
10.199.202.211 (incomplete) enp2s0
10.199.200.173 (incomplete) enp2s0
10.199.207.161 (incomplete) enp2s0
10.199.205.176 (incomplete) enp2s0
10.199.207.108 (incomplete) enp2s0
10.199.205.115 (incomplete) enp2s0
10.199.206.6 (incomplete) enp2s0
10.199.207.47 (incomplete) enp2s0
10.199.204.208 (incomplete) enp2s0
10.199.200.246 (incomplete) enp2s0
(请注意,这两个输出都是不完整的)
本质上,nmap显示了后续命令转储中完全丢失的项目的 IP/MAC,arp或者 IP 存在但 MAC 地址显示为(incomplete)
我尝试通过执行以下操作来增加 arp 缓存中项目的超时
echo 'net.ipv4.neigh.default.gc_stale_time=600' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.neigh.default.base_reachable_time_ms=1200000' | sudo tee -a /etc/sysctl.conf
但这似乎没有什么区别。
这里发生了什么?为什么不arp显示正在显示的内容nmap?也许没有nmap正确填充缓存?
我注意到的另一件事是,使用该实用程序会显示找到的arp-scan所有内容nmap
答案1
arp 缓存就是一个缓存。这意味着它将保存一些可能很快需要的值,但可以被丢弃以为其他值腾出位置。
/21 网络有 2048 个地址,因此其中一些地址会从缓存中删除,以便为其他条目释放插槽。您以前可能在较小的网络上使用过它。
您应该扫描 nmap 的输出。你必须结合来自不同行的信息,但它应该是完整的。
编辑
每个条目都会开始(incomplete),直到收到响应为止。因此,当缓存已满时,内核必须删除较旧的完整条目或可能刚刚收到响应的较新条目。
对于尺寸,从这里:
sysctl -w net.ipv4.neigh.default.gc_thresh1=<n>:gc_thresh1表示ARP缓存中可能存在的最小条目数。如果条目数低于此设置,则不会触发垃圾收集。
sysctl -w net.ipv4.neigh.default.gc_thresh2=<n>:gc_thresh2 表示 ARP 缓存中可能存在的软最大条目数。此设置可以说是最重要的,因为 ARP 垃圾收集将在达到此软最大值后大约 5 秒被触发。
sysctl -w net.ipv4.neigh.default.gc_thresh3=<n>:gc_thresh3表示ARP缓存中的硬最大条目数。
答案2
当我想具体跟踪琶音时,我通常tcpdump与扫描结合使用nmap
tcpdump -ennl -i eth0 arp | grep is-at | tee foo
在运行时执行nmap.这可能需要通过主机名或 IP 进行额外限制,具体取决于您想要tcpdump捕获的数量。
答案3
从您的问题和交互来看,您似乎不了解 MAC 位于第 2 层,因此位于您的网络本地。
当扫描网络外部的多个远程 IP 地址时,只有本地网关/路由器的 MAC 和 IP 地址才会出现在 ARP 缓存中。