English language page Russian language page
download support
Ads

User manual


How to scan your network


More about network scan with code samples


<< 1 2 2.1 3 ... 10 >>


    In the utility uses ARP packets for the network scanning and analysis on the basis of the local ARP cache conclusions about the existence of a host with IP and MAC addresses. How to send ARP packet to the network? The easiest way - by means of WinAPI clean local ARP cache, create a standard UDP socket and send a datagram in a cycle from first to last subnet IP address of a specified interface. So as the ARP cache is empty, the operating system itself will send ARP requests and fill based on the analysis of the ARP cache local responses IP and MAC addresses of existing hosts. Empirically it was found that for correct definition of "live" hosts ARP cache to be cleared completely after each request, and send at least two requests with a certain interval between requests. This at least doubles the network scan time, but increases the reliability of the definition of almost 100%. The code in C / C + + and WinAPI:

/////////// I dynamically link with iphlpapi.dll library, therefore it can be to global declare a pointer to a functions

typedef DWORD (CALLBACK * PTR_GETIPNETTABLE) (PMIB_IPNETTABLE, PULONG, BOOL);
typedef DWORD (CALLBACK * PTR_DELETEIPNETENTRY) (PMIB_IPNETROW);

///////////it is a universal function for cleaning up / get MAC address from the cache



   All worn out format code, and here is in the archive folder is a Visual Studio 2005 project - command line utility to scan the network. To simplify the code number of hosts on the network class C = 254, the utility clears the last digit IP address of the local host and a further cycle of increasing it by one 254 times in the network sends UDP packets. Some messy code, no matter how trying to comb it - came back to this "goto", because only in this way the utility works stably and reliably determine the living hosts.
   Although the utility should work on all Windows since 98, this scanning method has one disadvantage - on the local host operating systems Windows Vista, Windos 2008 and on the Windows 8 scan time exceeds all reasonable limits. As can be seen in the screenshots, on the Windows 7 for 254 addresses scan time about 8 seconds, and on Windows 8 - 25 minutes! Apparently the developers something cool to have changed in the network environment from Windows Vista, for Windows Seven somehow rolled back, and in Windows 2008 and Windows 8 "developer preview" again network environment Vista - like. Here the Paessler AG - developer of network monitoring tool's blog, advised not to use Windows Vista and Windos 2008 as a host for a program that uses to monitor the WMI service.
   In this case one solution - to use the NDIS protocol driver, such as preinstalled ndisuio(ndisprot).sys or download and install the WinPCap library, and create and send ARP requests and catch on "live" hosts ARP replies. What we can be going to do more. In the meantime, let's review the merits: the network certain there will be computers that are running Windows 2000 or XP, 2003, or Windows 7, including 64-bit version, where "normal" ARP cache and is likely to remain so, and where should will be hosted by our network scanner. And if we accept this limitation, our scanner appear many advantages in comparison with the scanner based on the NDIS driver. First - it's portability. Built-in driver ndisuio(ndisprot).sys in version NDIS 5 on Windows XP and 2003 are usually already in the system, wireless networks autoconfiguration service, and to access the driver must stop the service, which is not always acceptable. A similar driver version NDIS 6 of the systems Windows Vista, Windows 7, and further, does not work with ARP protocol or protocols other than 0x888E (EAP over LAN) and 0x8100 (802.1Q - Virtual Lan). Third-party drivers needs to be far from trivial programmable installation, which in turn requires local administrator privileges. But our scanner is run, even with flash-drive, as a non-privileged user. And do not pay attention to the operating systems of scanned hosts - Windows or Linux, maybe even a network printer, any network device is determined even with MAC and IP address and able to respond to ARP requests.
   More - how to obtain an IP address range to scan...