lan status

[RedLars]

Hi,

In a project that I'm involved with we're looking for an algorithm of
discovering and maintaining a record of all computers 'alive' on a lan
(ethernet and tcp/ip). Obviously we'd like the status to be as up-to-
date as possible but without generating too much traffic on the
network. So far I've come up with two general solution but dont know
if they would even work in a practical situation;

#1 - A background thread of somekind running a loop trying to ping all
host on the lan.
#2 - A background thread listening to the lan and registrating all
pc'es sending message.

The first suggestiong would surely generate a bit of traffic on the
lan and would also probably be sort of slow (not up-to-date). The
second solution would not increase the traffic on the lan but I'm
unsure how demanding such a task would be on the computer and how
complex it would be to implement it in C# using .Net 2.0.
Additionally, would the second solution even work, I mean, all pc'es
on a network do broadcast messages periodically?

Appreciate any input on solution or API.

Cheers

 

[james]

Redlars,

I would try the ping solution first because its intuitive and can be
written in a day. There won't be any congestion If you're subnet is
small (192.168.1.XXX only has 255 or so addresses). Just be aware
that some computers may not respond to pings (e.g., the firewall
ignores pings), and you have to handle packet loss.

Networks become very complicated when you get down to the sniffing
level, and implementing that solution might take a lot longer than you
expect.

Good Luck,
James

 

[JamesB]

Redlars,

I would try the ping solution first because its intuitive and can be
written in a day. There won't be any congestion If you're subnet is
small (192.168.1.XXX only has 255 or so addresses). Just be aware
that some computers may not respond to pings (e.g., the firewall
ignores pings), and you have to handle packet loss.

Networks become very complicated when you get down to the sniffing
level, and implementing that solution might take a lot longer than you
expect.

I'd go that way too, bearing in mind the firewall warning.

Picking up traffic if the network uses a switch as opposed to a hub can be a
bit hit or miss, as traffic is generally just routed to the destination. You
might also want to look at WinPcap - a lot of "sniffer" programs use this
and interface to it, saving some of the hard work. I've never done this or
tried it, but it's something to bear in mind (no use re-inventing the wheel
if your requirement is simple enough)
James2.

 

[Guest]

i tried doing something like this before, what i found worked was creating a
small app for each of the computers you wish to record. then, on the server,
send a small UDP packet out to the broadcast address of the network, all the
small apps would be listening for it and respond, telling theyre still there.
hope this helps

 

[Chris Shepherd]

Hi,

In a project that I'm involved with we're looking for an algorithm of
discovering and maintaining a record of all computers 'alive' on a lan
(ethernet and tcp/ip). Obviously we'd like the status to be as up-to-
date as possible but without generating too much traffic on the
network. So far I've come up with two general solution but dont know
if they would even work in a practical situation;

Some questions:

1) Does your LAN use Hubs or does it use Switches?
2) Are there any routers routing traffic from one segment of the network
to another?
3) Is TCP/IP actually a requirement?
4) What's the high level purpose here?

Pinging all hosts on a lan could prove very time consuming, and won't
yield results necessarily for all the PCs alive on the LAN. Pinging the
broadcast address is equally useless since by default Windows boxes
don't respond to broadcast pings. If your LAN is switched, attempting to
observe the traffic at the TCP/IP level is probably futile. An Ethernet
ARP WHO-HAS scan in the background on your subnet would possibly yield
results, but that's below the TCP/IP layer, and will not always work if
there are routed portions of your subnet (because the router will answer
the queries on behalf of hosts behind it with its own MAC).

It sounds like you're really looking for something that logs/ties into
your switches/routers (hardware in the best position to know about the
hosts connected to it) and reports on hosts found, but without knowing
more about the intent here I can't really offer any further advice.

Chris.

 

[RedLars]

Thanks for the excellent replies.

The solution would be used on multiple sites and I believe they all
use switches to route the network traffic.

No routers are used, everything is located on one segment (i.e.
162.24.10.1 to 162.24.10.255 - subnet mask 255.255.255.0)

TCP / IP is the protocol being used by the existing applications. I
suppose the solution to this problem could use (or listen to) any
protocol is seems necessary aslong as it doesnt generate too much
traffic (i.e. interfere with current traffic).

The purpose of this project is to get an overview of modules
(computers) on the network, query each module (use WebServer) for
certain information, process the information and based on the outcome
of the calculation present various options to the user. It's sort of a
TopologyManager that shows all modules (computers) in a tree-view and
gives the user information and opportunities to execute tasks. At the
moment we manually insert the IP's used but would like to automate
this process (using a background thread).

Appreciate the help.

 

[Chris Shepherd]

Thanks for the excellent replies.

The solution would be used on multiple sites and I believe they all
use switches to route the network traffic.

No routers are used, everything is located on one segment (i.e.
162.24.10.1 to 162.24.10.255 - subnet mask 255.255.255.0)

TCP / IP is the protocol being used by the existing applications. I
suppose the solution to this problem could use (or listen to) any
protocol is seems necessary aslong as it doesnt generate too much
traffic (i.e. interfere with current traffic).

The purpose of this project is to get an overview of modules
(computers) on the network, query each module (use WebServer) for
certain information, process the information and based on the outcome
of the calculation present various options to the user. It's sort of a
TopologyManager that shows all modules (computers) in a tree-view and
gives the user information and opportunities to execute tasks. At the
moment we manually insert the IP's used but would like to automate
this process (using a background thread).

Appreciate the help.

So if I understand you clearly, your modules are all running a common
service (HTTP)? If so, it would seem to me a simple matter of
enumerating the list of PCs by connecting with an HTTPRequest and
requesting some specific page that the modules themselves can provide
more than just IP information on if necessary. If the request fails,
obviously the host isn't available. I'm unclear on whether or not you're
talking just straight Windows boxes, or some specialty OS for say, math
calculations, but it could also be possible that you want a
challenge/response type so you can ensure that the boxes you're
connecting to really are the kinds of boxes you're looking for.

Also, something to consider is that PINGs and the like will not really
break much on a network, as data-wise they are very small.

If they are all on one switched LAN using interlinking switches then
it's entirely feasible to use the ARP query approach as an alternative
to the above, but consider that it doesn't scale too well.

Chris.

 

[RedLars]

Thanks for your answer Chris.

So if I understand you clearly, your modules are all running a common
service (HTTP)?

You are correct that all the computers will be running a standard web
server.

If so, it would seem to me a simple matter of
enumerating the list of PCs by connecting with an HTTPRequest and
requesting some specific page that the modules themselves can provide
more than just IP information on if necessary. If the request fails,
obviously the host isn't available.

This bit was a bit unclear to me. Wouldn't this be a higher level of
ping'ing the computer?
Seems like a slow (-ish) way of discovering if a computer is present
or not. There could be anything from 100+
computers present to 1-2 with unknown distribution of addresses (i.e.
addresses are not necessarly in sequence).

I'm unclear on whether or not you're
talking just straight Windows boxes, or some specialty OS for say, math
calculations, but it could also be possible that you want a
challenge/response type so you can ensure that the boxes you're
connecting to really are the kinds of boxes you're looking for.

Also, something to consider is that PINGs and the like will not really
break much on a network, as data-wise they are very small.

Thats a good point. But I would need to ping the complete range of the
subnet (i.e. 162.24.10.1 to 162.24.10.255) which would
be a slow process.

If they are all on one switched LAN using interlinking switches then
it's entirely feasible to use the ARP query approach as an alternative
to the above, but consider that it doesn't scale too well.

My knowledge of ARP is limited, thought it was an IP to MAC convertion-
protocol. How could ARP be used to solve this problem?
Would it be possible to broadcast a 'who-is-here' message which all
hosts would reply to?

Chris.- Skjul sitert tekst -

- Vis sitert tekst -

Again, thanks for taking the time to help out.

 

[Chris Shepherd]

RedLars wrote:
[...]

This bit was a bit unclear to me. Wouldn't this be a higher level of
ping'ing the computer?
Seems like a slow (-ish) way of discovering if a computer is present
or not. There could be anything from 100+
computers present to 1-2 with unknown distribution of addresses (i.e.
addresses are not necessarly in sequence).

Yes, it's effectively similar to portscanning TCP/80 for the entire
subnet. The trick here is that you could also do the challenge/response
thing this way in a single step.

My knowledge of ARP is limited, thought it was an IP to MAC convertion-
protocol. How could ARP be used to solve this problem?
Would it be possible to broadcast a 'who-is-here' message which all
hosts would reply to?

Yes, ARP is just the translation from ethernet hardware address (MAC) to
IP address. It can be used similarly to "pinging" each host, however you
can verify that the hosts are unique, and it uses a non-routable protocol.

The quickest way to do this would be to ping the broadcast address
(162.24.10.255 on the 162.24.10.0/24 network) and have all the hosts
configured to respond to broadcast pings.

One other possibility however, would be to use DHCP on all of the
clients, and setup a facility to query the DHCP server about its leases.

Really what it seems like is you're looking for a clutsering Heartbeat
(google linux HA heartbeat) style solution that will at least allow you
to know whether a machine is up. While that kind of solution may be
beyond your needs, it will certainly facilitate you with the concepts
involved in keeping the list of currently available clients alive.
In line with that, and just tossing out a final idea: If you have access
to the computers present on that network, and are running/can run your
own software on them, why not simply make an application that broadcasts
that it's alive at some preset interval to a central "handler", which
would then maintain a list of who said they're active and when?

If I sort of moved out of the practical implementation stage up to the
idea stage, I apologize, but without some kind of central body that all
of these computers talk to (router, DHCP server, etc.) I don't see a
really good way to do it other than enumerate all of the IPs in the subnet.

Chris.

 

[RedLars]

RedLars wrote:

[...]

This bit was a bit unclear to me. Wouldn't this be a higher level of
ping'ing the computer?
Seems like a slow (-ish) way of discovering if a computer is present
or not. There could be anything from 100+
computers present to 1-2 with unknown distribution of addresses (i.e.
addresses are not necessarly in sequence).

Yes, it's effectively similar to portscanning TCP/80 for the entire
subnet. The trick here is that you could also do the challenge/response
thing this way in a single step.

My knowledge of ARP is limited, thought it was an IP to MAC convertion-
protocol. How could ARP be used to solve this problem?
Would it be possible to broadcast a 'who-is-here' message which all
hosts would reply to?

Yes, ARP is just the translation from ethernet hardware address (MAC) to
IP address. It can be used similarly to "pinging" each host, however you
can verify that the hosts are unique, and it uses a non-routable protocol.

The quickest way to do this would be to ping the broadcast address
(162.24.10.255 on the 162.24.10.0/24 network) and have all the hosts
configured to respond to broadcast pings.

One other possibility however, would be to use DHCP on all of the
clients, and setup a facility to query the DHCP server about its leases.

Really what it seems like is you're looking for a clutsering Heartbeat
(google linux HA heartbeat) style solution that will at least allow you
to know whether a machine is up. While that kind of solution may be
beyond your needs, it will certainly facilitate you with the concepts
involved in keeping the list of currently available clients alive.
In line with that, and just tossing out a final idea: If you have access
to the computers present on that network, and are running/can run your
own software on them, why not simply make an application that broadcasts
that it's alive at some preset interval to a central "handler", which
would then maintain a list of who said they're active and when?

If I sort of moved out of the practical implementation stage up to the
idea stage, I apologize, but without some kind of central body that all
of these computers talk to (router, DHCP server, etc.) I don't see a
really good way to do it other than enumerate all of the IPs in the subnet.

Chris.

Thanks for yet another good reply.

Unfortunately we are talking about existing network with existing
configuration so its not possible to change the hardware layout. It
also means its not possible to add dhcp at this point.

Adding functionality of broadcast alive message from (one of) our
current applications is of course an option but it adds a dependency
to our application which is something we are trying to limit.

Btw, how do you 'configured to respond to broadcast pings' on a
WindowsXP computer?

 

[Chris Shepherd]

RedLars wrote:
[...]

Thanks for yet another good reply.

Unfortunately we are talking about existing network with existing
configuration so its not possible to change the hardware layout. It
also means its not possible to add dhcp at this point.

Understandable. It sucks when you're constrained like that, but there
are workarounds.

Btw, how do you 'configured to respond to broadcast pings' on a
WindowsXP computer?

I read up on this looking for a good article, because I was under the
belief that it would be possible to change a registry entry to allow it
to respond, however the only things I can find relate to UDP/TCP
multicaast/broadcast, not ICMP echo-request broadcasts. It appears that
Microsoft's ICMP implementation lacks support for responding to
broadcast requests. Keep in mind, that's just an appearance based on
some quick looking -- there may be a way, I just didn't find it.

Adding functionality of broadcast alive message from (one of) our
current applications is of course an option but it adds a dependency
to our application which is something we are trying to limit.

On the one hand, I see what you're saying about adding a dependency when
this sort of thing really should be left up to the OS.

On the other hand, using the network services to look up hosts on the
LAN will pick up things like networked printers, routers, etc., that may
not be what you're looking for (from the looks of things).

You could write a very trivial simple service to install on the PCs and
have it just send a null UDP packet to the broadcast address at some
interval, and have your listener watch for them.

One other avenue to look down, which I am utterly unfamiliar with, is
the possibility of querying your Domain Controller for its list of PCs.
It may already have that, and there must be a way to grab a list of all
the PCs that have been active on the domain in the last X -- or at least
a list of all PCs by name, which would be a refined list you could look
at. Someone more familiar with core Windows API stuff could probably
answer to that.

Beyond that I think you're stuck trying to connect to each PC on the LAN
and waiting for timeouts, etc... If you go this route, the one issue to
watch for when using ICMP/echo-request (ping) to see if the hosts are
alive is that if they have their XP firewalls turned on, they won't
respond in their default configuration. That is of course mitigated by
Domain policy control.

Chris.