简体繁体 English

网络嗅探器 - 检测非 DHCP 网络中的子网掩码

[英]network sniffer - detect subnet mask in non-DHCP network

原文 2022-01-29 14:34:12 0 1 networking/ ip/ openwrt/ subnet/ dhcp

I'm writting a simple network sniffer that should be able to reconstruct network structure.我正在编写一个简单的网络嗅探器，它应该能够重建网络结构。

When an interface has set up a DHCP, I can easily read interface settings such as client IP address, subnet mask, DNS server etc. by catching a DHCP packet and analysing it.当接口设置了 DHCP 后，我可以通过捕获 DHCP 数据包并对其进行分析，轻松读取客户端 IP 地址、子网掩码、DNS 服务器等接口设置。

When an interface has a static IP, I'm catching ARP Announcement packet to get static IP address and then ARP request from the gateway, to get geteway IP address. When an interface has a static IP, I'm catching ARP Announcement packet to get static IP address and then ARP request from the gateway, to get geteway IP address. I'm also saving MAC addresses.我也在保存 MAC 地址。

My problem is: how to get subnet mask from one or more static IPs in the network and the gateway address.我的问题是：如何从网络中的一个或多个 static IP 和网关地址获取子网掩码。 Or by caching some packets.或者通过缓存一些数据包。 I didn't see packets that could have such informations.我没有看到可能包含此类信息的数据包。 I also need DNS address, but it's less important.我还需要 DNS 地址，但它不太重要。

The program should work in OpenWRT (C++).该程序应该在 OpenWRT (C++) 中运行。

1 个解决方案

My problem is: how to get subnet mask from one or more static IPs in the network and the gateway address.我的问题是：如何从网络中的一个或多个 static IP 和网关地址获取子网掩码。

Possibly, you can't.可能，你不能。

If the sniffed network uses DHCP then you can monitor the DHCP requests (which should be broadcast) for their subnet mask and router fields which mirror the server's offer.如果被嗅探的网络使用 DHCP，那么您可以监视 DHCP 请求（应该被广播）的子网掩码和反映服务器提供的路由器字段。

Without DHCP, all you can do is take an educated guess.如果没有 DHCP，您所能做的就是做出有根据的猜测。 If your passive sniffer registers broadcasts from addresses 192.168.1.1 through 192.168.1.29, you know that the prefix length is at most /27.如果您的被动嗅探器注册从地址 192.168.1.1 到 192.168.1.29 的广播，则您知道前缀长度最多为 /27。 It could also be anything shorter, down to /16, with potential addresses being (currently) absent or silent.它也可以更短，低至 /16，潜在地址（当前）不存在或保持沉默。 The prefix could be even short than /16 if the network admin is ignoring RFC 1918. With public addresses you're mostly on your own.如果网络管理员忽略 RFC 1918，则前缀甚至可能比 /16 短。使用公共地址，您主要靠自己。

If you can scan actively you could send ARP requests and see which ones get answered - you'd also see nodes that don't originate any traffic/broadcasts.如果您可以主动扫描，您可以发送 ARP 请求并查看哪些请求得到答复 - 您还会看到不发起任何流量/广播的节点。

The gateway is also just a guess.网关也只是一个猜测。 In a network with mostly Internet-bound traffic, the default gateway is most likely the one being ARPed most often.在以 Internet 绑定流量为主的网络中，默认网关很可能是最常被 ARPed 的网关。 If the network traffic is mostly server-centric, ARP requests for their addresses outnumber the ones for any gateway.如果网络流量主要以服务器为中心，则针对其地址的 ARP 请求数量超过任何网关的请求数量。

Your sniffer is severely limited when it is just attached to a switch and listening to broadcast packets only.当您的嗅探器仅连接到交换机并仅侦听广播数据包时，它会受到严重限制。 If the sniffer manages to listen to all traffic on the network (via a monitoring/mirroring switch port) then you can easily identify the gateway by its MAC address that packets for arbitrary IP addresses is sent to and vice versa.如果嗅探器设法侦听网络上的所有流量（通过监控/镜像交换机端口），那么您可以通过其 MAC 地址轻松识别网关，将任意 IP 地址的数据包发送到该网关，反之亦然。

As above, if you can actively send probe packets you could test the gateway(s) with packets that they accept (and hopefully forward) and which ones they reject.如上所述，如果您可以主动发送探测数据包，您可以使用网关接受（并希望转发）和拒绝哪些数据包来测试网关。