Get the following:
IP address of host
IP address of gateway (usually router or firewall)
get subnet mask on host
Get network CIDR (can be calculated)
For example, assume we have the following output of ifconfig…
[root@CMHLDORLGRD01 ~]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:50:56:A9:62:EB inet addr:172.26.24.25 Bcast:172.26.24.31 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:24106580889 errors:0 dropped:0 overruns:0 frame:0 TX packets:22645258582 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:34430908645826 (31.3 TiB) TX bytes:6436143231290 (5.8 TiB)
[root@CMHLDORLGRD01 ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.26.24.0 * 255.255.255.224 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 default 172.26.24.1 0.0.0.0 UG 0 0 0 eth0 [root@CMHLDORLGRD01 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.26.24.0 0.0.0.0 255.255.255.224 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 172.26.24.1 0.0.0.0 UG 0 0 0 eth0
[root@CMHLDORLGRD01 ~]# ping 172.26.24.1 PING 172.26.24.1 (172.26.24.1) 56(84) bytes of data. 64 bytes from 172.26.24.1: icmp_seq=1 ttl=64 time=0.173 ms 64 bytes from 172.26.24.1: icmp_seq=2 ttl=64 time=0.190 ms --- 172.26.24.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.173/0.181/0.190/0.015 ms [root@CMHLDORLGRD01 ~]#
So we have the following:
IP address of host – 172.26.24.25
IP address of gateway (usually router or firewall) – 172.26.24.1
get subnet mask on host – 255.255.255.224
Get network CIDR (can be calculated) – 224 = 11100000 in binary, so this is a /27 network (25,26, and 27 bits set)
Since 32 is the last bit (set 25 = 128, 26 = 64, and 27 = 32), our network can hold 30 hosts (one address for the network and one for the broadcast address). Our network ranges are 0 – 31, 32 – 63, 64 – 95, etc.
Since 25 is in range of 0 – 31, our gateway is also in this range, and our broadcast is in this range, we should be able to connect to the gateway and be routed (if necessary) to other subnets.
For another example, assume we have the following…
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : foobar.com Link-local IPv6 Address . . . . . : fe80::f453:9c28:392a:da0%12 IPv4 Address. . . . . . . . . . . : 172.26.248.154 Subnet Mask . . . . . . . . . . . : 255.255.255.128 Default Gateway . . . . . . . . . : 172.26.248.129 Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : foobar.com Link-local IPv6 Address . . . . . : fe80::84ba:68eb:f0da:c37e%11 IPv4 Address. . . . . . . . . . . : 172.26.248.209 Subnet Mask . . . . . . . . . . . : 255.255.255.128 Default Gateway . . . . . . . . . : 172.26.248.129
Since these are each on the same subnet, we can use the same calculation for each.
First of all, we can assume the subnet can have 126 hosts, since the last bit set in the subnet mask is 128 in the last octet.
11111111 11111111 11111111 10000000
Since our gateway is 172.26.248.129, we can also assume it is the start of the network. As such, our IP range is 172.26.248.129 – 172.26.248.255
Incidentally, you can also reverse engineer the broadcast address from the subnet mask and the IP address. Given the data above, see below:
255.255.255.224 is what is below in binary…
11111111 11111111 11111111 10000000
…so we take the opposite of that…
00000000 00000000 00000000 01111111
…and then convert our IP address to binary…
172.26.24.25
10101100 00011010 00011000 00011001
…and logically OR it with the inverted subnet mask we calculated above.
10101100 00011010 00011000 00011111
172.26.24.31
Notice our answer, as converted from binary, matches the output of ifconfig near the beginning of this post.
Notice also that we can get the MAC address, and other interesting traffic, with the -e switch to tcpdump
[root@CMHLDORLGRD01 ~]# tcpdump -e -i eth0 not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:22:46.309521 00:1c:73:00:00:99 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp reply 172.26.24.1 is-at 00:1c:73:00:00:99 (oui Unknown) 13:22:46.309849 00:50:56:a9:62:eb (oui Unknown) > 00:1c:73:00:00:99 (oui Unknown), ethertype IPv4 (0x0800), length 84: CMHLDORLGRD01.expdev.local.47915 > cmhwdaddc01.expdev.local.domain: 44114+ PTR? 1.24.26.172.in-addr.arpa. (42) 13:22:46.310183 00:1c:73:b5:f1:41 (oui Unknown) > 00:50:56:a9:62:eb (oui Unknown), ethertype IPv4 (0x0800), length 177: cmhwdaddc01.expdev.local.domain > CMHLDORLGRD01.expdev.local.47915: 44114 NXDomain* 0/1/0 (135) 13:22:46.310285 00:50:56:a9:62:eb (oui Unknown) > 00:1c:73:00:00:99 (oui Unknown), ethertype IPv4 (0x0800), length 84: CMHLDORLGRD01.expdev.local.37679 > cmhwdaddc01.expdev.local.domain: 24549+ PTR? 69.1.24.172.in-addr.arpa. (42) 13:22:46.310453 00:1c:73:b5:f8:01 (oui Unknown) > 00:50:56:a9:62:eb (oui Unknown), ethertype IPv4 (0x0800), length 122: cmhwdaddc01.expdev.local.domain > CMHLDORLGRD01.expdev.local.37679: 24549* 1/0/0 PTR[|domain] 13:23:01.054149 00:1c:73:00:00:99 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp reply 172.26.24.1 is-at 00:1c:73:00:00:99 (oui Unknown) 13:23:16.308558 00:1c:73:00:00:99 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp reply 172.26.24.1 is-at 00:1c:73:00:00:99 (oui Unknown) 13:23:31.053367 00:1c:73:00:00:99 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp reply 172.26.24.1 is-at 00:1c:73:00:00:99 (oui Unknown)