Forums | MacLife

Well, THAT almost got me fired!

I started scanning with nmap, and alla sudden, we get a ton of calls in on the help desk, people freaking out about their security software screaming "WARNING! WARNING!".

So...word of advice...DON'T scan your network without checking with the network admins first!

Well, it probably won't find any Macs that have third-party ethernet cards, but if you can get a copy of the "arp tables" and/or the CAM forwarding tables from your routers and/or switches, you could look for all the ones that have Apple OUI hardware addresses.  I went to this site, saved it to a text file, and grep'd out all the hex lines for Apple.  Here's the resulting list:

00-03-93   (hex)                Apple Computer, Inc.
00-05-02   (hex)                APPLE COMPUTER
00-0A-27   (hex)                Apple Computer, Inc.
00-0A-95   (hex)                Apple Computer, Inc.
00-0D-93   (hex)                Apple Computer
00-11-24   (hex)                Apple Computer
00-30-65   (hex)                APPLE COMPUTER, INC.
00-50-E4   (hex)                APPLE COMPUTER, INC.
00-A0-40   (hex)                APPLE COMPUTER
08-00-07   (hex)                APPLE COMPUTER INC.

So, any arp entries and/or forwarding table entries that start with any of the above three-byte address prefixes should be Apple machines.  For example, the hardware address on my new G5 starts with "00:0d:93".  You can see your own MAC address (not "Mac" address; "MAC" = "Media Access Control") with the "Network Utility", or by doing an "ifconfig -a" in the Terminal.  The other thing to know about this is that arp table entries and CAM forwarding entries are dynamic and age-out after a while (4 hours in most Cisco devices, but other devices can have much shorter timeouts), so if you do this during off-hours then you'll get a lot fewer results than if you do it when people are busy working, say a little while after they come in and start checking their email.  If you were really industrious you could grab the "net-snmp" utilities (or snmperl) and, assuming your network folks will let you do SNMP queries to your network infrastructure, periodically poll all the devices for their arp tables (or CAM forwarding tables, which I should have already mentioned is how switches keep track of which devices are out which ports).  A little bit of sorting, grepping, and "uniq" work after polling for several days should result in a relatively complete list of all the MAC addresses on the network.  The benefit of grabbing arp tables is that those entries will also include the IP address of the associated MAC address, so you can tell what subnet that device is on.  The CAM tables will tell you the port the device is connected to, but not the IP address.

If you have questions, post 'em here, or PM me and we can chat more.  I think I've grabbed the net-snmp stuff before, or else it's now included with Panther, since a "which snmpwalk" showed it in "/usr/bin".  It can be a bit intimidating to dig through SNMP MIB files to find the exact variables you want to poll for, but it's not too bad once you get the hang of it.  Plus, Cisco has all their MIB's online, so if you have Cisco gear and SNMP access to it you can get a ton of statistics from it.  Luckily, the arp information is in a standard MIB, so any device that supports SNMP should support the standard MIB objects for the "ipNetToMediaPhysAddress" table, which a quick bit of checking told me is SNMP-speak for the arp table.

HTH - Good luck!