[unisog] Determining local servers and banners

Harry Hoffman hhoffman at ip-solutions.net
Mon Apr 4 20:54:44 GMT 2005

Hi All,

We are in the process of writing some apps to do this but I wanted to 
see if anyone else is doing this, how they are doing it, and perhaps any 
potential pitfalls...

So, we are looking to determine all servers running in our IP space and 
then grab any banners that we may find. We currently have a way to do 
this for TCP where we look for the Syn/Ack bits set and the src networks 
to be ours:
tcpdump -i eth0 -w file.dmp 'tcp[13] == 18' and src net '( 192.168.1 or 
192.168.2 )'

We read this file and feed it into a perl script which fires off a bunch 
of nmap scans to pull back the banners of the IP/Port found to be a server.

So, this gives us TCP servers and does a pretty good job...

We don't have a way, currently, to grab udp servers. I understand that a 
similar setup could be done with argus and the "-M hostsvc" flags and I 
am currently investigating this option. Is anyone doing this?

I'm quite interesting to hear how others are solving this problem. Nmap 
against 65000 ports to find a "quiet" ftp server isn't really an option.


More information about the unisog mailing list