Finding information about other hosts
Once you have the basic information about your machine, you can start to spread out and look at other machines in your network to determine the available and services that they provide. With the right tools, you can even try to determine what operating system these machines are running and what services the machines might be sharing.
Checking hosts
The easiest and most obvious tool for checking remote machines is to use the ping tool to check whether a particular host is up and available. The ping tool does something very simple. It sends a packet to the remote host requesting a response. When the response has been received, the ping tool calculates the time difference, and the time taken to send and receive the packet can be used as an indication of how near or far a machine is from its current location.
For example, if you ping a machine on your own network, you are likely to get a response to the ping packet very quickly (see Listing 11).
Listing 11. Pinging machine on your own network
$ ping bear
PING bear.mcslp.pri (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=0.154 ms
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.162 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.149 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=0.161 ms
64 bytes from 192.168.0.2: icmp_seq=4 ttl=64 time=0.162 ms
64 bytes from 192.168.0.2: icmp_seq=5 ttl=64 time=0.161 ms
^C
--- bear.mcslp.pri ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.149/0.158/0.162/0.005 ms
|
Different implementations of the ping tool work in different ways. By default on Linux and Mac OS X, the tool will continually send packets and wait for a response until you force the application to terminate with Control-C.
On Solaris™, AIX®, and some other UNIX variants, without any additional arguments the ping tools will merely indicate if the remote host responded (see Listing 12).
Listing 12. Pinging without additional arguments on UNIX variants
$ ping bear
bear is alive
|
To perform the longer test, use the -s option, shown in Listing 13.
Listing 13. Using the -s option for pinging
$ ping -s bear
PING bear: 56 data bytes
64 bytes from bear.mcslp.pri (192.168.0.2): icmp_seq=0. time=0.288 ms
64 bytes from bear.mcslp.pri (192.168.0.2): icmp_seq=1. time=0.247 ms
64 bytes from bear.mcslp.pri (192.168.0.2): icmp_seq=2. time=0.208 ms
64 bytes from bear.mcslp.pri (192.168.0.2): icmp_seq=3. time=0.230 ms
^C
----bear PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max/stddev = 0.208/0.243/0.288/0.034
|
The time field for each line gives you an indication of the speed and latency (the delay before response, and often an indication of the level of activity) for each packet. When you stop the output, you get a summary of the number of packets sent, received, and the time statistics.
The further the distance that the ping packets have to travel, the longer the response time from the remote host. For example, if you try to ping a public server on the Internet, the time taken for the response packet can be significantly higher (see Listing 14).
Listing 14. Pinging a public server on the Internet
$ ping www.example.com
PING www.example.com (67.205.21.169) 56(84) bytes of data.
64 bytes from mcslp.com (67.205.21.169): icmp_seq=1 ttl=44 time=193 ms
64 bytes from mcslp.com (67.205.21.169): icmp_seq=2 ttl=44 time=194 ms
64 bytes from mcslp.com (67.205.21.169): icmp_seq=3 ttl=44 time=197 ms
64 bytes from mcslp.com (67.205.21.169): icmp_seq=4 ttl=44 time=194 ms
^C
--- www.example.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3039ms
rtt min/avg/max/mdev = 193.737/195.120/197.123/1.353 ms
|
Compare the times for this connection to an Internet service (193ms) with the time for a local host (0.23ms).
The ping tool can also be a quick way of determining whether you can even reach the remote host that you want to connect to. Running ping on a host that does not exist returns a very specific error (see Listing 15).
Listing 15. Pinging a host that does not exist
$ ping notinhere
PING notinhere (192.168.0.110) 56(84) bytes of data.
>From bear.mcslp.pri (192.168.0.2) icmp_seq=1 Destination Host Unreachable
>From bear.mcslp.pri (192.168.0.2) icmp_seq=2 Destination Host Unreachable
>From bear.mcslp.pri (192.168.0.2) icmp_seq=3 Destination Host Unreachable
^C
--- notinhere ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4039ms
|
The ping tools relies on knowing what other machines are available on your network.
Let's see how you can determine what hosts might be on the network without knowing
their names or IP addresses
Discovering hosts on your network
Within the Ethernet network system (and others), all devices on your network have a
unique address associated with the hardware network device. The Media Access Control (MAC) number uniquely identifies the network device and, through the use of higher-level protocols such as the Internet Protocol you can associate the MAC address with the host name.
This is used (in reverse) by the operating system when sending packets out on the
network. When you send packets to a specific hostname, the operating system attempts to resolve the hostname into a MAC address so it can construct the hardware (Ethernet) packet to be sent out on the network.
The Address Resolution Protocol (ARP) handles this mapping, and you can use the arp tool to display the currently held information about the hosts and their host names or IP addresses.
Because any machine on the network that wants to communicate with another must have sent out a packet with the MAC address and the IP address, the information gleaned by your system in the ARP cache can be a useful way to find out what other machines are on the network (see Listing 16).
Listing 16. Using the arp command
$ arp
Address HWtype HWaddress Flags Mask Iface
gendarme.mcslp.pri ether 00:1B:2F:F0:39:6A C eth0
narcissus.mcslp.pri ether 00:16:CB:85:2D:15 C eth0
solaris2.vmbear.mcslp.p ether 00:0C:29:7F:0D:C5 C eth0
nautilus.wireless.mcslp ether 00:17:F2:40:4D:1B C eth0
sulaco.mcslp.pri ether 00:16:CB:A0:3B:CB C eth0
|
With modern Ethernet switches, in place of the older hub structure, the information output by arp may be limited to the packets sent and received to or from a particular host. If you can run arp on a server you will get a longer list of information, but this isn't always possible or practical.
On some network switches you have a network management or monitoring port where all packets are echoed, and which you can use to gain information about the other network devices and therefore the network structure. If you don't have access to this information, you may need a more brute force approach to finding hosts on your network.
Finding other hosts on your network
The nmap tool is a utility that can perform a variety of different scans across your network to find and determine different levels of information. At a basic level, it can be used to find all of the hosts within a given network.
Earlier the article examined how to get the current IP address and netmask information
for a host. You can use this information to set the basic search parameters for nmap
to try and find all of the hosts on the network. To specify this information, you have to use the CIDR style addresses. The CIDR format uses the IP address of the host, and the number of bits in the network mask, to determine the span of the network.
From the example host, 192.168.1.25 was the IP address, and the network mask was 255.255.252.0. This is equivalent to 22 bits -- 8 bits for the first part, 8 bits for the second, and 6 bits for the third part.
Running nmap with this address will scan every single IP address within the range (for
instance, every address between 192.168.0.0 and 192.168.3.255) and determine which hosts reply.
You can perform a number of different tests, including a test using the standard ping protocol, or a more extensive test that tries other network ports in case the ping protocol has been disabled. For example, the ping test displays the list of hosts in Listing 17.
Listing 17. Running nmap to scan range of IP addresses
$ nmap -sP 192.168.1.25/22
Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-24 15:59 GMT
Host 192.168.0.1 appears to be up.
Host bear.mcslp.pri (192.168.0.2) appears to be up.
Host narcissus.mcslp.pri (192.168.0.3) appears to be up.
Host 192.168.0.10 appears to be up.
Host 192.168.0.27 appears to be up.
Host sulaco.mcslp.pri (192.168.0.101) appears to be up.
Host nautilus.wireless.mcslp.pri (192.168.0.109) appears to be up.
Host 192.168.1.1 appears to be up.
Host 192.168.1.25 appears to be up.
Host gentoo1.vmbear.mcslp.pri (192.168.1.52) appears to be up.
Host gentoo2.vmbear.mcslp.pri (192.168.1.53) appears to be up.
Nmap done: 1024 IP addresses (11 hosts up) scanned in 5.78 seconds
|
The ping check can give you a very quick idea of what other machines are on the network. In this case, 11 hosts have been discovered, but not all of them can be resolved back to a name. This is a fault in the DNS configuration that should be fixed, as some systems use the reverse lookup (IP address to name) as a security check to ensure the client IP address has not been faked.
Finding other services on your network
The ping check is useful, but if you want to know the services an individual machine is
actually exposing itself to, use the TCP check. A TCP check takes longer, as nmap will
try to open ports using the TCP/IP protocol from each host within the list. This can be more effective at displaying what hosts are on your network, and at providing detailing information about the open ports for each host. You can see this in Listing 18.
Listing 18. Using a TCP check
$ nmap -sT 192.168.1.25/22
Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-24 16:03 GMT
Interesting ports on 192.168.0.1:
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
8080/tcp open http-proxy
49153/tcp open unknown
Interesting ports on bear.mcslp.pri (192.168.0.2):
Not shown: 987 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
902/tcp open iss-realsecure
993/tcp open imaps
2000/tcp open callbook
2049/tcp open nfs
3128/tcp open squid-http
3306/tcp open mysql
Interesting ports on narcissus.mcslp.pri (192.168.0.3):
Not shown: 982 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
88/tcp open kerberos-sec
106/tcp open pop3pw
111/tcp open rpcbind
311/tcp open asip-webadmin
389/tcp open ldap
548/tcp open afp
625/tcp open apple-xsrvr-admin
749/tcp open kerberos-adm
1021/tcp open unknown
1022/tcp open unknown
3659/tcp open unknown
3689/tcp open rendezvous
4111/tcp open unknown
5900/tcp open vnc
8086/tcp open unknown
8087/tcp open unknown
Interesting ports on 192.168.0.10:
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
Interesting ports on 192.168.0.27:
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Interesting ports on sulaco.mcslp.pri (192.168.0.101):
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
548/tcp open afp
631/tcp open ipp
2170/tcp open unknown
Interesting ports on nautilus.wireless.mcslp.pri (192.168.0.109):
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
111/tcp open rpcbind
1001/tcp open unknown
5900/tcp open vnc
Interesting ports on 192.168.1.1:
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
5431/tcp open unknown
Interesting ports on 192.168.1.25:
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
4045/tcp open lockd
Interesting ports on gentoo1.vmbear.mcslp.pri (192.168.1.52):
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3128/tcp open squid-http
Interesting ports on gentoo2.vmbear.mcslp.pri (192.168.1.53):
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 1024 IP addresses (11 hosts up) scanned in 32.27 seconds
|
From this output, you can see that there are a number of servers on the network
providing a variety of services. The device at 192.168.0.1, for example, provides HTTP
and HTTP-proxy services. Sp does bear.mcslp.pri, in addition to smtp imap, nfs, and MySQL services.
To determine more specific information about these services, you can use nmap again with the version argument to get a more specific list of the version information about the protocols and ports that are open on a specific host.
For example, checking what appears to be the main server (bear), you can get a very good idea of exactly what is running behind each of these ports (see Listing 19).
Listing 19. Using nmap with the version argument
$ nmap -sT -sV bear
Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-24 16:17 GMT
Interesting ports on localhost (127.0.0.1):
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1 (protocol 2.0)
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.3-P1
111/tcp open rpcbind
143/tcp open imap Cyrus IMAP4 2.3.13-Gentoo
443/tcp open ssl/http Apache httpd
783/tcp open spamassassin SpamAssassin spamd
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC)
993/tcp open ssl/imap Cyrus imapd
2000/tcp open sieve Cyrus timsieved 2.3.13-Gentoo (included w/cyrus imap)
2049/tcp open rpcbind
3128/tcp open http-proxy Squid webproxy 2.7.STABLE6
3306/tcp open mysql MySQL 5.0.60-log
10024/tcp open smtp amavisd smtpd
10025/tcp open smtp Postfix smtpd
Service Info: Hosts: gendarme.mcslp.com, bear, 127.0.0.1
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.12 seconds
|
In this case, you can see a number of specific services, this time showing the version and even application information that is provided in each case.
Determining unidentified hosts on your network
When you have found a host on your network, especially one that you may not immediately recognize, you may want to know more about the host. The TCP port scan shows you what services are being supported by the host, but this may not necessarily tell you the whole story. Some devices and systems may or may not expose ports in a manner that doesn't make it immediately obvious what is on your network.
The nmap operating system scan examines the open ports and tries to work out what the system is behind the different services. This can make the difference between identifying a server with open ports and a new device on your network.
For example, if you run the operating system identification on the server bear, you can identify the system as running a traditional version of Linux, which probably indicates a standard computer, as shown in Listing 20.
Listing 20. nmap operating system scan
# nmap -sT -O bear
Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-24 16:20 GMT
Interesting ports on localhost (127.0.0.1):
Not shown: 985 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
783/tcp open spamassassin
902/tcp open iss-realsecure
993/tcp open imaps
2000/tcp open callbook
2049/tcp open nfs
3128/tcp open squid-http
3306/tcp open mysql
10024/tcp open unknown
10025/tcp open unknown
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.25
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.71 seconds
|
The OS scan is not perfect, and it relies on finger printing techniques to determine what the open ports and returned version information means. For example, the scan below in Listing 21 has identified a number of potential operating systems that might be behind the port types.
Listing 21. Scan indentifying a number of potential operating systems
# nmap -sT -O some.faroffhost.com
Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-24 16:23 GMT
Interesting ports on some.faroffhost.com (205.196.217.20):
Not shown: 976 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
111/tcp filtered rpcbind
113/tcp open auth
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap
548/tcp open afp
554/tcp open rtsp
555/tcp open dsf
587/tcp open submission
687/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
1720/tcp filtered H.323/Q.931
5222/tcp open unknown
5269/tcp open unknown
5666/tcp open unknown
7070/tcp open realserver
8000/tcp open http-alt
8001/tcp open unknown
8649/tcp open unknown
Device type: print server|general purpose|storage-misc|WAP|switch|specialized
Running (JUST GUESSING) : HP embedded (92%), Linux 2.6.X|2.4.X (92%), Buffalo embedded
(91%), Acorp embedded (89%), Actiontec Linux 2.4.X (89%), Linksys embedded (89%),
Netgear embedded (89%), Infoblox NIOS 4.X (89%)
Aggressive OS guesses: HP 4200 PSA (Print Server Appliance) model J4117A (92%),
Linux 2.6.20 (Ubuntu 7.04 server, x86) (92%), Linux 2.6.9 (92%), Buffalo TeraStation NAS
device (91%), Linux 2.6.18 (CentOS 5.1, x86) (91%), OpenWrt 7.09 (Linux 2.4.34) (90%),
Acorp W400G or W422G wireless ADSL modem (MontaVista Linux 2.4.17) (89%), HP Brocade
4100 switch; or Actiontec MI-424-WR, Linksys WRVS4400N, or Netgear WNR834B wireless
broadband router (89%), HP Brocade 4Gb SAN switch (89%), Infoblox NIOS Release
4.1r2-5-22263 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 18 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.66 seconds
|
It is worth noting that the nmap scan can be used on both local and remote networks. In the remote test above, nmap determined how different systems the packets had to go through before they reached their destination. Understanding the different devices between you and other machines on your network are often the final part of understanding and determining your network layout.
Determining the network structure
Whenever an IP network packet is sent out on the network, a special counter is incremented each time a system forwards the packets on to another network or system. Forwarding of packets happens within a number of different systems. If you have multiple network switches connected together, each hub can identify itself as a new device. In addition, wireless access points and traditional routers are all examples of devices that forward packets and are therefore considered part of the network route of the packet.
In most network environments, hubs, switches, and other components within your local network do not increment this value, but as you stretch out wider across your network, the network gets larger and more complex, so understanding the route taken by individual packets can help you to identify performance and connectivity problems.
The primary tool for displaying the route information for communicating with a host is
traceroute. This determines the IP address of each host within a given path from the current host to the destination. If the host is immediately local, then the route is obviously direct (see Listing 22).
Listing 22. Using traceroute
$ traceroute solaris2
traceroute to solaris2 (192.168.1.25), 30 hops max, 40 byte packets
1 solaris2.mcslp.pri (192.168.1.25) 0.651 ms 0.892 ms 0.969 ms
|
For hosts in the local network that might be accessible through a local router or bridge, see Listing 23.
Listing 23. Hosts in the local network
$ traceroute gentoo1
traceroute to gentoo1 (192.168.1.52), 30 hops max, 40 byte packets
1 gendarme.mcslp.pri (192.168.0.1) 3.163 ms 3.159 ms 6.618 ms
2 gentoo1.mcslp.pri (192.168.1.52) 34.336 ms 34.341 ms 34.341 ms
|
Connections to distant networks may show each router and step the packets have taken (see Listing 24).
Listing 24. Connections to distant networks
$ traceroute www.ibm.com
traceroute to www.ibm.com (129.42.58.216), 30 hops max, 40 byte packets
1 gendarme.mcslp.pri (192.168.0.1) 3.163 ms 3.159 ms 6.618 ms
2 gauthier-dsl1.hq.zen.net.uk (62.3.82.17) 34.336 ms 34.341 ms 34.341 ms
3 lotze-ge-0-0-1-136.hq.zen.net.uk (62.3.80.137) 37.581 ms 47.276 ms 50.548 ms
4 nietzsche-ae2-0.ls.zen.net.uk (62.3.80.70) 43.945 ms 47.239 ms 50.529 ms
5 nozick-ge-3-1-0-0.ls.zen.net.uk (62.3.80.74) 55.343 ms 55.341 ms 55.339 ms
6 lorenz-ge-3-0-0-0.te.zen.net.uk (62.3.80.78) 66.347 ms 63.118 ms 63.105 ms
7 82.195.188.13 (82.195.188.13) 146.039 ms 118.175 ms 124.532 ms
8 sl-bb22-lon-8-0.sprintlink.net (213.206.128.60) 50.460 ms 47.273 ms 40.991 ms
9 sl-bb20-lon-12-0.sprintlink.net (213.206.128.52) 47.107 ms 47.094 ms 43.711 ms
10 sl-crs2-nyc-0-5-3-0.sprintlink.net (144.232.9.164) 111.579 ms 113.173 ms
113.159 ms
11 144.232.18.238 (144.232.18.238) 116.353 ms 111.633 ms 111.619 ms
12 0.xe-5-0-1.XL3.NYC4.ALTER.NET (152.63.3.125) 114.812 ms 111.788 ms 115.000 ms
13 0.so-7-1-0.XT3.STL3.ALTER.NET (152.63.0.6) 151.969 ms 142.573 ms 142.574 ms
14 POS6-0.GW8.STL3.ALTER.NET (152.63.92.37) 142.552 ms 253.001 ms 252.986 ms
15 ibm-gw.customer.alter.net (65.206.180.74) 179.655 ms 228.775 ms 228.751 ms
16 10.16.255.10 (10.16.255.10) 145.847 ms 139.310 ms 142.509 ms
17 * * *
18 129.42.58.216 (129.42.58.216) 143.118 ms 141.181 ms 141.152 ms
|
Using this method, in combination with nmap to determine the list of hosts, you can gain a better understanding about the hosts on your network and which routers and systems are used to reach these systems.
| 
