IP Trace Utilities

Is there an IP utility for Linux that when used on a network can help
you figure out exactly where it's coming from? Also tell you the OS
version, so you can tell whether it's a printer or a Windows or Linux
Machine.

Then, is this included on a LiveCD?

Adam McCarthy wrote:
> Is there an IP utility for Linux that when used on a network can help
> you figure out exactly where it's coming from? Also tell you the OS
> version, so you can tell whether it's a printer or a Windows or Linux
> Machine.
>
> Then, is this included on a LiveCD?
I mean like in a building. So we can help find out where things are
instead of searching each and every single computer.

On 2005-09-08, Adam McCarthy <(E-Mail Removed)> wrote:
> Is there an IP utility for Linux that when used on a network can help
> you figure out exactly where it's coming from? Also tell you the OS
> version, so you can tell whether it's a printer or a Windows or Linux
> Machine.

"Where it's coming from"?
What do you mean by that term?

Where can a network come from?


Your additional post <(E-Mail Removed)> inclines
you're searching for a way to lookup network components.

OK.

On TCP/IP level you can use nmap.

nmap -sP finds up hosts by pinging them.

-O tries to fingerprint operating systems, when used with -sS
(requires root privileges) you can see open ports.
Much identification can be done port-based, e.g. when smb-ports
(137-139, 445) are open it's most likely a PC running Windows or
Linux & Samba; when Ports 80 and 514 ar 515 are open it looks like
a printserver.
and so on.


On SMB level your can use smbclient -L or utilities such as
linneighborhood.


--
Marco Dieckhoff
icq# 22243433
GPG Key 0x1A6C95BA -- http://www.frankonia-brunonia.de/keys

Adam McCarthy wrote:

> Adam McCarthy wrote:
>> Is there an IP utility for Linux that when used on a network can help
>> you figure out exactly where it's coming from? Also tell you the OS
>> version, so you can tell whether it's a printer or a Windows or Linux
>> Machine.
>>
>> Then, is this included on a LiveCD?
> I mean like in a building. So we can help find out where things are
> instead of searching each and every single computer.

Maybe nmap can help; http://www.insecure.org/nmap/
and it is on some LiveCD's; http://www.sysresccd.org/


--
Contained within the Microsoft EULA;
This Limited Warranty is void if failure of the Product has resulted
from accident, abuse, misapplication, abnormal use or a virus.

Marco Dieckhoff wrote:
> On 2005-09-08, Adam McCarthy <(E-Mail Removed)> wrote:
>
>>Is there an IP utility for Linux that when used on a network can help
>>you figure out exactly where it's coming from? Also tell you the OS
>>version, so you can tell whether it's a printer or a Windows or Linux
>>Machine.
>
>
> "Where it's coming from"?
> What do you mean by that term?
>
> Where can a network come from?
>
>
> Your additional post <(E-Mail Removed)> inclines
> you're searching for a way to lookup network components.
>
> OK.
>
> On TCP/IP level you can use nmap.
>
> nmap -sP finds up hosts by pinging them.
>
> -O tries to fingerprint operating systems, when used with -sS
> (requires root privileges) you can see open ports.
> Much identification can be done port-based, e.g. when smb-ports
> (137-139, 445) are open it's most likely a PC running Windows or
> Linux & Samba; when Ports 80 and 514 ar 515 are open it looks like
> a printserver.
> and so on.
>
>
> On SMB level your can use smbclient -L or utilities such as
> linneighborhood.
>
>
I meant like what room or computer name it is.

On Thu, 08 Sep 2005 20:06:27 -0400, Adam McCarthy
<(E-Mail Removed)> wrote:
> Marco Dieckhoff wrote:
>> On 2005-09-08, Adam McCarthy <(E-Mail Removed)> wrote:
>>
>>>Is there an IP utility for Linux that when used on a network can help
>>>you figure out exactly where it's coming from? Also tell you the OS
>>>version, so you can tell whether it's a printer or a Windows or Linux
>>>Machine.
>>
>>
>> "Where it's coming from"?
>> What do you mean by that term?
>>
>> Where can a network come from?
>>
>>
>> Your additional post <(E-Mail Removed)> inclines
>> you're searching for a way to lookup network components.
>>
>> OK.
>>
>> On TCP/IP level you can use nmap.
>>
>> nmap -sP finds up hosts by pinging them.
>>
>> -O tries to fingerprint operating systems, when used with -sS
>> (requires root privileges) you can see open ports.
>> Much identification can be done port-based, e.g. when smb-ports
>> (137-139, 445) are open it's most likely a PC running Windows or
>> Linux & Samba; when Ports 80 and 514 ar 515 are open it looks like
>> a printserver.
>> and so on.
>>
>>
>> On SMB level your can use smbclient -L or utilities such as
>> linneighborhood.
>>
>>
> I meant like what room or computer name it is.

To find the computer name, use "host" or "dig", assuming that you have a
DNS server with entries for every machine on the network.


--
Atlanta makes it against the law to tie a giraffe to a telephone pole
or street lamp.

In the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed)>, Adam McCarthy wrote:

>> Is there an IP utility for Linux that when used on a network can help
>> you figure out exactly where it's coming from? Also tell you the OS
>> version, so you can tell whether it's a printer or a Windows or Linux
>> Machine.

Any O/S fingerprinting tool should be able to ID the system. Looking at
the Ethernet frame and grabbing the source MAC address will also give
clues.

> I mean like in a building. So we can help find out where things are
> instead of searching each and every single computer.

No - for that you'd need more efforts. If the individual computer
has no firewall running, and the user is doing network activities, such
as checking mail, you can often get a Username that way. In the old days
before we had to start securing systems against abuse, fingering the
unknown computer, or telnet/rsh/rlogin in, and running the 'w' or 'who'
command told most of what was needed.

Today, we don't allow a computer onto the net until we have full inventory
data, which includes username, location, property tag and serial numbers,
MAC Address, hostname, and cost center. Networking knows which port on
which switch is located in which room, and we can often have a network
admin and the security personnel at an unregistered computer before it
finishes booting - certainly within five minutes max.

If you don't have a list with such details, your best bet might be to
come in to the office tomorrow (Saturday) and "walk the halls" looking
at every single computer you find. Then, follow up by requiring those
details on every new computer brought into the facility, even if it's
only coming in for a presentation by some vendor. We're an R&D facility,
and corporate management has signed off on this policy. There are also
large signs at every entrance warning that un-authorized computers WILL
be confiscated. Employees are aware of policy, and have signed copies on
file. Visitors are required to read and sign a similar document before
being granted entry. BE SURE TO GET WRITTEN MANAGEMENT APPROVAL before
you implement this.

Old guy