As the system administrator for a VOS system you typically could care less about what other hosts are on the local subnet. You care about the gateways that are configured and of course any local hosts that communicate with your system but the other hosts are below your radar. There are, however, 2 very good reasons for knowing who your network neighbors are. First, in the event of a communication problem you can use these other hosts to test your network connection. Second, these are the hosts that are most likely to be the sources of any kind of network based attack.
It is not a bad idea to scan the local subnet every so often (say every Wednesday morning) just to see who is out there. VOS does not have a built in scanner – but it does have the ping command, which when surrounded by a few lines of a command macro can be made into a scanner.
&set X 1
&while &X& < 255
ping 192.168.11.&X&
&set X (calc &X& + 1)
&end
There are 3 issues with using ping to scan for hosts. First, it is not very efficient. The default time out is 15 seconds and the command will try 4 times so it will take a minute to scan for a host that is not there or does not respond to pings. Luckily, the number of tries can be reduced to 1 and the timeout reduced to 1 second. This is still not efficient from the perspective of a dedicated scanning tool but I think good enough for our needs.
&set X 1
&while &X& < 255
ping 192.168.11.&X& -count 1 -timeout 1
< &set X (calc &X& + 1)
&end
The second issue is that not all hosts will respond to pings. That however, is not a significant problem because with just one more line our command macro will report which hosts sent an ARP reply. ARPs are used to map an IP address into an Ethernet MAC address and VOS must know the Ethernet MAC address before it can send the ping. It therefore sends an ARP request to the target host and places the data from the reply into the ARP cache. All hosts will respond to the ARP request with an ARP reply even if they will not respond to the subsequent ping request. The arp command will display the requested entry if one is there.
&set X 1
&while &X& < 255
ping 192.168.11.&X& -count 1 -timeout 1
arp 192.168.11.&X&
&set X (calc &X& + 1)
&end
The above command macro has the ping requests and responses intermixed with ARP data, it is not very readable. The following macro produces a pretty table of neighbors in a file named arp_scan.(date).out. It assumes a class C network, that is the first 3 octets are fixed and scans for hosts 1 thru 254. I suggest you run it as a started process.
& arp_scan.cm begins here
&
& arp_scan.cm
& version 1.0 09-04-06
&
&begin_parameters
BASE BASE:string,req
&end_parameters
&
& make sure extraneous stuff isn't echoed into the results file
&if (process_type) = 'batch' &then &do
<set_ready -format off
&echo no_command_lines
&end
&
&set X 1
&set_string FILE (process_dir)>arp_scan.out
&if (exists &FILE&)
&then delete_file &FILE& -no_ask
< &while &X& < 255
ping &BASE&.&X& -count 1 -timeout 1
attach_default_output &FILE& -append
arp &BASE&.&X&
detach_default_output
&set X (calc &X& + 1)
&end
display &FILE& -match &BASE& -no_header -output_path arp_scan.(date).out
&
& arp_scan ends here
The ARP cache timeout is 10 minutes, If there is an entry with a time less than 10 minutes you will know that the module was already communicating with that host before the scan was done.
d arp_scan.09-04-06.out
%phx_vos#m16_mas>SysAdmin>Noah_Davids>arp_scan.09-04-06.out 09-04-06 15:20:30 m
164.152.77.11 00-00-A8-80-80-4A temp 9 mins
164.152.77.12 00-00-A8-80-81-EC temp 9 mins
164.152.77.100 00-0C-29-A9-85-44 temp 10 mins
164.152.77.103 00-04-0D-E8-B8-44 temp 2 mins
164.152.77.111 00-19-E7-8E-EA-38 temp 10 mins
164.152.77.114 00-04-0D-4A-DD-C6 temp 5 mins
164.152.77.116 00-04-0D-4A-BF-50 temp 10 mins
164.152.77.143 00-07-3B-CE-19-46 temp 8 mins
164.152.77.147 00-07-3B-91-BE-51 temp 8 mins
. . .
The third issue is the complaint that you might get from your network administrator for actively scanning the network. If they object to this activity you can passively scan it by using the packet monitor command to capture broadcast packets.
packet_monitor -numeric -filter -no_transmit -ip -mac_dst ff:ff:ff:ff:ff:ff -filter -no_transmit -arp
Using this technique relies on the other hosts in the network actively communicating and sending broadcasts while packet_monitor is running. If you use this technique you will have to let packet_monitor run for quite a while, how long will depend on your network. I suggest that you put the above command into a command macro (packet_monitor_scan.cm) and run it as a started process. Don’t forget to run the process as privileged.
Once you have a trace you will then need to convert it into a usable table of addresses. The following macro will do that (it assumes packet_monitor_scan was a started process generating a process_packet_monitor_scan.out file).
& process_packet_monitor_scan.cm begins here
&
& packet_monitor_scan.cm
& version 1.0 09-04-06
& version 1.1 09-06-12 Added progress messages
& [email protected]
&
& make sure extraneous stuff isn't echoed into the results file
&if (process_type) = 'batch' &then &do
set_ready -format off
&echo no_command_lines
&end
&
&
attach_default_output (process_dir)>packet_monitor_scan
&set LINE 1
&set_string TEXT &+
(translate (contents packet_monitor_scan.out &LINE& -hold) '_' ' ')
&while (substr &TEXT& 1 7) ^= 'Process'
&set_string SOURCE '_'
&if (substr &TEXT& 1 9) = 'R_ARP_Req' &then &do
&set_string SOURCE (substr &TEXT& 39)
&end
&if (substr &TEXT& 1 9) = 'R_ARP_Rep' &then &do
&set_string SOURCE (substr &TEXT& 59)
&end
&if (substr &TEXT& 1 3) = 'R__' &then &do
&set_string SOURCE (substr &TEXT& 15)
&end
&set I (calc (index &SOURCE& '_') - 1)
&if &SOURCE& ^= '_' &then display_line (substr &SOURCE& 1 &I&)
&set LINE (calc &LINE& + 1)
&if (mod &LINE& 1000) = 0
&then &do
detach_default_output
display_line working on line &LINE&
attach_default_output (process_dir)>packet_monitor_scan -append
&end
&set_string TEXT (translate (contents packet_monitor_scan.out &LINE&) '_' ' ')
&end
detach_default_output
display_line doing sort
sort (process_dir)>packet_monitor_scan -duplicates_path (process_dir)>dups
copy_file &+
(process_dir)>packet_monitor_scan packet_monitor_scan.(date).out -delete
display_line packet_monitor_scan.(date).out created
&
& process_packet_monitor_scan.cm ends here
which will produce the following table.
d packet_monitor_scan.09-06-12.out
%phx_vos#m16_mas>SysAdmin>Noah_Davids>packet_monitor_scan.09-06-12.out 09-06-12
0.0.0.0
10.10.1.10
10.10.1.11
10.10.1.2
10.10.1.20
10.10.1.21
10.10.1.22
10.10.1.23
10.10.1.75
10.20.1.2
10.20.1.21
10.20.1.26
10.20.1.27
10.20.1.3
10.20.1.30
. . .