Assuming the subnet is 192.168.0.0/24:
nmap -sP 192.168.0.0/24
should populate the ARP table.

Bill

On 1/31/20 1:52 PM, Ed Greshko wrote:

On 2020-02-01 04:56, Samuel Sieb wrote:

I thought about that, but it's only useful for mapping back from the MAC address and that would only work if the computers are talking directly using local addresses.  Only the attacking computer would have an arp entry for the target computer.  If the target does not normally have any communication with the attacker, it won't have an entry for it.  If he has access to the gateway computer, then that would more likely have an arp entry for the attacker.

Well since arp is only on the LAN and since LAN communication is arp based the tcpdump packets will
have the MAC address of the device on the local network from which the ssh packets were routed through.

I'm not sure what you're saying.  Yes, the packets will have the MAC address of the sending device.  But the local arp table will most likely not have an entry for that MAC address.  So you will have to try to track down the device only by the MAC and not by IP.  The DHCP server would be a good place to look for that.

An ARP lookup is only done on sending, not receiving.  Since the incoming IP address is not local, there will be no ARP request made for the reply because it will be sending it to the default gateway.  (There might be an ARP request for the gateway if the entry is stale.)
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org