mhsearch

At one point, the LAN in my office became so full that we actually ran out of IP addresses! This made it very difficult to add new machines to the network -- if anyone requested an IP address, they would be put on a waiting list and given an assignment when an IP address finally became available. But, because of the shortage, few people were ever willing to voluntarily return an IP address to the pool of unallocated addresses when a machine was decomissioned.

The network people tried to recover unused IP addresses by pinging every IP address on our network once every day, and reclaiming any addresses that were idle for more than a month. The hope was that decommissioned machine would have its IP address recycled as soon as the ping program realized that the address was idle. In response, some people tried to hold on to their IP addresses by configuring their machines to use all of them at the same time!

To combat this, I wrote mhsearch, a little Perl program that pings each host on the network and determines the IP-to-MAC address mapping by looking at the kernel's ARP cache. It reports any MAC address responding to more than a single IP address, as shown in this sample run:

CAMB:/home/jelson(441) ./mhsearch.pl 128.231.128.0/23
Scanning IP network 128.231.128.0, mask len 23 (510 hosts + 1 broadcast address)
pinging up through 128.231.128.20...
pinging up through 128.231.128.40...
pinging up through 128.231.128.60...
pinging up through 128.231.128.80...
[...]
pinging up through 128.231.129.244...
pinging broadcast address...
Duplicates found:
00:80:5f:50:1a:83 is using dcrtcsbdev, livewire-dev
08:00:20:1a:f7:66 is using sunny, nsb
08:00:20:8c:f3:e3 is using sundavid, nextdavid, xray, ultra, fly

The Manual Page

NAME

mhsearch -- search for multihomed hosts

AUTHOR

Jeremy Elson, 16 December 1997
Version 0.2

SYNOPSIS

mhsearch network.number/mask-length

EXAMPLES

mhsearch 128.231.128.0/23

(searches 128.231.128.1 through 128.231.129.255)

mhsearch 128.220.13.0/24

(searches 128.220.13.1 through 128.220.13.255)

DESCRIPTION

This program scans a datalink network to see if there are any devices that are simultaneously using more than one IP address (i.e., a multihomed host). It does so by systematically pinging every address on a network specified on the command-line, including the broadcast address. This causes an ARP request to be generated for each host, which should respond with an ARP reply. mhsearch then uses the kernel's ARP cache to check for multiple IP addresses that map to the same MAC address.

Note, this program does *not* scan for IP address collisions (i.e., a single IP address being used by more than one host). It does the opposite: scan for a single host using more than one IP address.

KNOWN BUGS

Multihomed hosts may be reported that are outside of the network specified on the command line. This is because any multihomed host found in the kernel's ARP cache will be reported, even if those entries were not added to the ARP cache as a result of mhsearch's operation.

mhsearch does not verify that the given network number and subnet mask length are valid.

There is no guarantee that hosts will remain in the ARP cache in between the time when they are pinged and when the ARP cache is checked. If there is a lot of network activity on the machine during mhsearch's operation, some ARP mappings may be lost.

NOTES

This program has strong dependencies on the arguments and location of the "ping" program, and on the exact form of the output of the "arp -a" command. mhsearch was developed under Solaris 2.5.1 and will not run under OS's whose ping arguments or "arp -a" output differs from Solaris'.

Of course, mhsearch can only find multihomed hosts on a locally connected datalink network. It cannot scan networks through a router.

Back to my software page
Back to my home page