*** From dhcp-server -- To unsubscribe, see the end of this message. ***
> The netbios name is the computer name for Windows 95/98 and NT stations.
that's a news;^)
> In a large network with mass builds on stations, ghosting, time, moving of
> computers, etc. the location and names become disassociated with anything
> tangible.
what's in a name?) well, NetBIOS name is bound to an IP (in a
TCP/IP environment, of course) and the latter is fairly easy to
find out..
> For example, I see a RAS server called GRASSHOPPER in the
> dhcp.leases. Okay, now what? Where is this puppy? I do not have a massive
For instance, you can use nmblookup that comes with Samba, like
this:
nmblookup GRASSHOPPER
That will give you their IP. Then, for example, i can look at
ARP cache on the router and find their MAC address. Then, in our
scenario, i can search for this MAC address in a flat db file
that maps all (well, almost all;) ports with attached users.
(this is generated fairly regularly, and can be run at will)
Then i look at another db which maps the ports to their physical
locations in terms of room and building. Then i pick a phone
book... ymmv. but we choose not to bother with this hunting, as
i mentioned earlier. Still, i am interested in the topic as an
exercise!
> Looking in the packet for source is
> interesting, but I need to figure out how I am going to do this.
So, i was eventually interested enough to finally dive into
tcpdump man page and rfc2131 to just find exactly that. And here
are a few variations that i came up with to pick from to one's
taste.
1) I found in archives somebody's (sorry, lost the name now..)
suggestion to use grep on hlen:16. And even though the author
did not like it i saw this option very useful. This will print
the clients IP and that's what we're basically after for.. Ex:
tcpdump -n udp port 67 | grep hlen:16
Btw, grepping for just hlen will actually suffice. When hlen=6
tcpdump will print ether expansion instead. And it may be
interesting to watch for any wayward hlen..
2) To not employ another wonderful tool:
tcpdump -nx -s 78 udp port 67 and udp[10] = 0x10
Here, 'udp[10] = 0x10' will select packets with hlen of DHCP part
equal to 16. (i threw in hex for on the fly mnemonics;) And
'-s 78' is just for pretty printing to visually confirm the
beginning of the 52:41.. client identifier;
3) And, to check directly for the latter to start with 'R' use:
tcpdump -nx -s 78 udp port 67 and udp[36] = 0x52
Adjust tcpdump's formatting switches to your taste;)
> For our example, I have 3 IP addresses assigned to
> slightly different RAS mac numbers called GRASSHOPPER.
Those are IPs that you gave to the RAS, not the IP that the
station is using. And the former are pretty useless with respect
to hunting.. I'm sure you already knew that;>
Sorry, i have no experience with other sniffers.. And tcpdump is
fairly common, and easy to find if you don't have one already.
Anyhow, thanks for this little practice in sniffing for me;) -vi
------------------------------------------------------------------------------
To unsubscribe from this list, please visit http://www.fugue.com/dhcp/lists
If you are without web access, or if you are having trouble with the web page,
please send mail to [EMAIL PROTECTED] Please try to use the web
page first - it will take a long time for your request to be processed by hand.
Archives for this mailing list are available at
http://www.webnology.com/list-archives/dhcp/dhcp-server
------------------------------------------------------------------------------
