I'm current working on a program that scans my network and discoveres computers and devices on the network. I use various operations to find data on the devices I discover, but want to distinguish the network devices from computers. And I'm wondering if anyone knows how I could do this?
I looked a bit at SNMP, and tried connecting to my network printer, router and modem. But I seem to only be able to connect to the printer, neither the router or modem responds.
Is there another way to identify what kind of a device an IP address belongs to?
Using a command line tool such as nmap you can finger print the device which can give you all sorts of information.
Perhaps you can call nmap via c# and read back the response.
Another alternative is to look up the network chip vendor of a given MAC address. But I'm not sure how much detail that will give you.
Here is the example from the nmap site:
# nmap -O -v scanme.nmap.org
Starting Nmap ( http://nmap.org )
Nmap scan report for scanme.nmap.org (64.13.134.52)
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp closed smtp
53/tcp open domain
70/tcp closed gopher
80/tcp open http
113/tcp closed auth
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Uptime guess: 11.433 days (since Thu Sep 18 13:13:01 2008)
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros
Nmap done: 1 IP address (1 host up) scanned in 6.21 seconds
Raw packets sent: 2021 (90.526KB) | Rcvd: 23 (1326B)
First, this answer is biased on ethernet networks.
The ideas can be tips also for other scenarios.
There is many ways to accomplish this, for example :
- scanning
- targeted discovery
- passive traffic monitoring
scanning
Possible, for example, with nmap.
Pro :
- Can discover unknown devices and services. forgotten by lazy sysadmins or installed by untrusted users.
- Can be a useful tool to discover services and security audit.
- For newbies, it sounds the best way : start from scratch, find them all. Bad news : read the cons.
Cons:
- It is very inefficient. If you start from scratch - you know nothing about the LAN - and you want to find every possible service, you have to scan almost all the tcp and udp ports for every possible host.
- The results aren't 100 % affordable : hw or sw firewalls; etc... The next run can lead to quite a different result.
- The results aren't a simple i_got_it / null, but fuzzy : you need an expert to evaluate the results.
- Sometimes you must have a admin account on your pc to run this scanning.
- Some IDS can log this activity as bad one.
targeted discovery
If your goal is to map your network, the official services, you can think about their official discovery capabilites. For example CDP, SSDP, srvloc, snmp get broadcast, etc...
You have to know what services you are probing.
Pro:
- This is the most efficient way, both max speed and min network bandwidth.
- The result is reliable : next run must return the same result ( obviously if the services and network stay alive ).
- This is the way to check services availability, and account for SLA.
- You don't need an expert : e.g. if a device answers to snmp get SysDescr, you know your data. You get the exact answer or you miss it.
Cons:
- You have to know what services you are probing.
- You cannot use this to be sure to found devices / services. This is nor a security audit neither a discovery tool. For example : I change my http server listen port to 81, how do you find me ?
passive traffic monitoring
Once upon a time, you find ethernet hosts linked with copper cables ( CAT3 / CAT5 ) to hubs.
You can run on any of these hosts a program to capture all the traffic, putting the ethernet card in promiscous mode, so the NIC pass to the operating system all the packets, also the packets with a MAC destination different than the MAC address of the NIC.
Your program can analyze these raw data, and parse the protocols and packets inside.
Nowadays you use ethernet switches, not hubs. Your pc' NIC in promiscous mode doesn't receive all the traffic on the network, because the switch forwards to you only the packets for your host or for all ( broadcast and - if registered - multicast ).
You have to use managed switches, and configured one port to be a repeater or monitor port, to link the monitoring host.
Pro:
- This is passive monitoring - if done right. This can be useful for specific assessment, where you cannot send any packet on the network under test, and you respect strong SLA.
- To collect the nw traffic, you have not to know the protocols and services configuration. For example, you can remove from your host the tcp/ip stack, leave the driver of your ethernet card, and collect the traffic.
- Using managed switch with a monitor port, you don't have to put the NIC in promiscous mode / tweak you tcp/ip stack.
- libpcap / winpcap is the de facto standard to capture packets, and it works. You can play with some GUI frontend, like Analyzer or Wireshark, before to develop your own application.
- It ban be a useful tool to discover services and security audit, too.
Cons:
- Do you have to be sure to not send packets on the network under test ? Use a managed switch with a repeater port, also if you have hubs. The repeater port can only receive network traffic.
- To capture a high troughput of data, like on 1 Gbit, you have to tweak your operating system configuration, otherwise cpus rise to full load and you still loose packets. Forgot ms windows for this stuff.
- Obviously, you see only the live traffic, nothing about services not transmitting.
- See the Cons 3, 4 of scanning. This is near to watch the bits on the wires, it is like the oscilloscope for electronic engineers. You capture all the data, later you need a expert^2 to evaluate them. Yes, later, because analyzing in detail the errors and glitches is very time consuming.
This is a simple discovery for dummies intro. Discovery tools can mix both ways to look for devices and services on the network.
For example, HP JetAdmin discovery uses different methods only to look for HP network printers and scanners not for all the devices on your LAN.
In general you cannot find out much about a device from it's IP.Using the MAC address of the host, you could determine the manufacturer of the Network adapter. The first half of MAC addresses are assigned by manufacturer.
You could try using nmap.
Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL.
My remark may look simple. But most of the device that implement SNMP implement the MIB-II. As you can see in here under it exists in 'System' an entry called 'sysDescr' the you can use most of the time to identify the device.