Let's assume you must work in a network but they forgot to tell you the ip address range.
# tcpdump -nnei eth1 13:46:05.577596 00:1a:73:3f:7a:9d > 00:03:6f:e1:5b:21, ethertype IPv4 (0x0800), length 74: 192.168.0.194.33387 > 80.58.32.97.53: 5597+ A? www.google.com. (32) 13:46:05.676650 00:03:6f:e1:5b:21 > 00:1a:73:3f:7a:9d, ethertype IPv4 (0x0800), length 142: 80.58.32.97.53 > 192.168.0.1 94.33387: 5597 4/0/0 ...
In this example, 192.168.0.194
is a host in the network, and 00:03:6f:e1:5b:21
is the mac address of the gateway. We don't know the ip address of the gateway yet, that would probably require waiting for an arp packet, or try guess it, or active scan.
# dhd Sniffing on any Injecting on eth1 (00:0b:16:a1:b2:c3) #0: SERVER-MAC: 00:03:6f:e1:5b:21 IP: 192.168.0.1 CLIENT-MAC: 00:0b:16:a1:b2:c3 IP: 192.168.0.195 MASK: 255.255.255.0 GW: 192.168.0.1 DNS: 192.168.0.1 >> "0 "0 "0 "0
In this example, 192.168.0.1
with mac address 00:03:6f:e1:5b:21
is the gateway.
# netdiscover -i eth1 Currently scanning: 192.168.1.0/16 | Our Mac is: 00:0b:16:a1:b2:c3 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.0.1 00:03:6f:e1:5b:21 01 042 Telsey SPA 192.168.0.194 00:1a:73:3f:7a:9d 01 060 Unknown vendor
In this example, there are 2 hosts from which 192.168.0.1
with mac address 00:03:6f:e1:5b:21
seems to be the gateway.