Using go to develop an intranet active host sniffer

This is a creation in Article, where the information may have evolved or changed. # # Article Keywords * go/golang* gopacket* grab pack * pcap/libpcap* arp* nbns* mdns* manuf # # Program! [Image.png] (http://upload-images.jianshu.io/upload_images/6285600-cec041b47b5f7b1f.png?imageMogr2/auto-orient/strip% 7cimageview2/2/w/1240) # # explains that this article for the go language itself is not too much, want to spend more time on a few network protocols explained, I hope this article is intended or is using go for TCP/IP programming and grasping the package of friends to bring help. GitHub address: [Https://github.com/timest/goscan] (Https://github.com/timest/goscan) # # program Ideas * Compute the IP range of the intranet via the intranet IP and subnet mask * Broadcast ARP request* to the intranet to listen and crawl the ARP response packet, record IP and MAC address * Send active IP sent MDNs and NBNS packet, and listen and parse hostname* calculate factory information based on MAC address # # The intranet IP range is calculated by intranet IP and subnet mask if you only know an IP address, it is not possible to learn the network segment of the intranet IP, you can not simply change the last byte of the IP to 1-255. Need to use subnet mask to calculate the network segment of the intranet, this piece is relatively simple, here do not repeat, there is doubt on-line search subnet mask to obtain more information. It is worth mentioning that the last field of the IP address is not 0 and 255, the former is RFC, the latter is generally the broadcast address. "' go//single nic mode Addrs, err: = Net. Interfaceaddrs () if err! = Nil {log. Fatal ("Unable to get local network information:", err)}for I, A: = Range Addrs {if IP, OK: = A. (*net. Ipnet); OK &&!ip. Ip. Isloopback () {if IP. Ip. To4 ()! = nil {fmt. Println ("IP:", IP. IP) fmt. PRINTLN ("Subnet Mask:", IP.) Mask) it, _: = Net. Interfacebyindex (i) fmt.Println ("MAC address:", it.) HARDWAREADDR) Break}} "" Ipnet can be calculated according to the above-mentioned IP range: "' Gotype IP uint32//to the IP range of the intranet and the network IP ranges func Table (ipnet *net. ipnet) []ip {IP: = IpNet.IP.To4 () log. Info ("Native IP:", IP) var min, max ip var data []ip for I: = 0; I < 4; i++ {b: = IP (Ip[i] & Ipnet.mask[i]) min + = b << ((3-uint (i)) * 8)} One, _: = IpNet.Mask.Size () max = Min | IP (Math. Pow (2, Float64 (32-one))-1) log. Infof ("Intranet IP range:%s---%s", min, max)//MAX is the broadcast address, ignore//I & 0x000000ff = = 0 is the IP of the trailing segment 0, according to the provisions of the RFC, ignore for i: = min; i < Max; i++ {if I & 0x000000ff = = 0 {Continue} data = append (data, i)} Return Data} ' # # # to the Intranet broadcast ARP request> ARP (Address Resolution Protocol), the Address Resolution Protocol, is a TCP/IP protocol that obtains a physical address based on an address. When the host sends the message, the ARP request containing the destination IP address is broadcast to all hosts on the network, and the return message is received to determine the physical address of the target------Baidu Encyclopedia when we want to send IP data to another host in Ethernet, we are locally based on the destination host's IP address The ARP cache * * queries the corresponding Ethernet address, and the ARP cache is an IP address maintained by the host to the corresponding Ethernet address * *. If the query fails, ARP broadcasts a message asking for the destination host hardware address (OP field 1), waiting for the target host to respond. Because the ARP cache is sensitive, it is best to send an ICMP packet to verify that the target is online after it has been read to the destination host's hardware address. Of course, you can choose not to read the data from the cache, but to send ARP packets directly, waiting for the onlineHost responds to ARP messages. Original address: [HTTPS://GITHUB.COM/TIMEST/GOSCAN/ISSUES/1] (HTTPS://GITHUB.COM/TIMEST/GOSCAN/ISSUES/1) 285 reads