locked
How can I send a raw IP Packet? Two week search and effort has revealed no answer! :-(

    Question

  • I am attempting to programmatically determine if a specific device is attached to my LAN so I can take actions depending on whether it is On or Off.

    Since the LAN uses DHCP for address assignment, there is no guarantee what the IP address will be, thus (using a reverse lookup routine I created) I check the arp cache to see if the device is there.  If it is then I open a socket to communicate with it.

    But if there is no arp cache entry then I know that the device is either turned off, or an arp cache timeout has occurred for the device.  If a timeout has cleared the entry, then I'd like to try to determine that, so I can use the device, by sending a general ARP "WHO HAS" Broadcast and see if I get an answer.

    ARP BROADCAST I

    Since I only have its MAC address I want to send an ARP "Who has" broadcast to force a cache refresh, then delay 30 seconds and try the arp lookup again. 

    So.  Long story short, I have two issues . . .

    1) The construction of the ARP packet uses the last two fields as Target MAC and Target IP.  The broadcasts I have trapped all have the IP field filled in and the MAC field with all 00 bytes. I am hoping I can turn that around and use 00 bytes for the IP and the MAC for the lost target.  If that is not possible, then there is no need to answer question 2, unless there is a way to do it not discussed in this question.

    2) How can I send a pure raw packet [VB .Net 4.5]?  This (I believe) is the complete message I need to send . . .

    ff ff ff ff ff ff f4 6d 04 ef e1 06 08 06 00 01 08 00 00 01 f4 6d 04 ef e1 06 c0 a8 01 5a 88 53 95 86 a0 1f 00 00 00 00

    I have not been able to find a method to send that packet. Specifically what VB code is required to define,open, and use the socketsend?

    Much thanks.  The answer to this will make my day.  Been at it for two weeks and dozens of forums, without an answer.

    :-(



    Ken Burkhalter

    Tuesday, July 02, 2013 8:19 PM

Answers

  • WOW!

    Amazing and informative thread, but I understand Reed's concerns.  Didn't realize I was opening such a can of worms when I posted the question.  Mea culpa.  Sorry 'bout that.

    I thought I was just stumped by what should have been a simple task.  At least I've learned that I was stumped for good reasons!!! :-)

    After all this, I threw in the towel and decided to write to file the last known good IP address for the iPhone, and use that to ping the device and then check the arp cache, whenever my first arp cache read attempt fails.

    Very quick, seems reliable, and easy to do.

    Thanks again all.  I consider this issue closed.


    Ken Burkhalter

    Thursday, July 04, 2013 1:06 AM

All replies

  • I am attempting to programmatically determine if a specific device is attached to my LAN so I can take actions depending on whether it is On or Off.

    Since the LAN uses DHCP for address assignment, there is no guarantee what the IP address will be, thus (using a reverse lookup routine I created) I check the arp cache to see if the device is there.  If it is then I open a socket to communicate with it.

    But if there is no arp cache entry then I know that the device is either turned off, or an arp cache timeout has occurred for the device.  If a timeout has cleared the entry, then I'd like to try to determine that, so I can use the device, by sending a general ARP "WHO HAS" Broadcast and see if I get an answer.

    ARP BROADCAST I

    Since I only have its MAC address I want to send an ARP "Who has" broadcast to force a cache refresh, then delay 30 seconds and try the arp lookup again. 

    So.  Long story short, I have two issues . . .

    1) The construction of the ARP packet uses the last two fields as Target MAC and Target IP.  The broadcasts I have trapped all have the IP field filled in and the MAC field with all 00 bytes. I am hoping I can turn that around and use 00 bytes for the IP and the MAC for the lost target.  If that is not possible, then there is no need to answer question 2, unless there is a way to do it not discussed in this question.

    2) How can I send a pure raw packet [VB .Net 4.5]?  This (I believe) is the complete message I need to send . . .

    ff ff ff ff ff ff f4 6d 04 ef e1 06 08 06 00 01 08 00 00 01 f4 6d 04 ef e1 06 c0 a8 01 5a 88 53 95 86 a0 1f 00 00 00 00

    I have not been able to find a method to send that packet. Specifically what VB code is required to define,open, and use the socketsend?

    Much thanks.  The answer to this will make my day.  Been at it for two weeks and dozens of forums, without an answer.

    :-(



    Ken Burkhalter

    I think sockets sounds like your best bet. Heres one example: http://www.nullskull.com/articles/20020323.asp

    Their is an arp command as listed here for modifying the arp table (might help better with the arp bit unless you have taken a computer networking class you can send your own custom command by opening the network equipment directly): http://technet.microsoft.com/en-us/library/cc757819(v=WS.10).aspx#BKMK_tcpip_tro_using_arp  (note: I tested this command it also works on windows 7).

    Edit: Note: some enterprise firewalls like to keep entries that are whitelisted backwards by ip address so 175.12.12.1 would be 1.12.12.175 in the firewall (not for sure but you might not have to worry about this because I am not for sure if this is still done anymore or not).


    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr



    • Edited by The Thinker Wednesday, July 03, 2013 12:22 AM edit 3
    Wednesday, July 03, 2013 12:14 AM
  • Thanks Thinker -

    Your suggested solution is pretty much what I have been finding over the past weeks.  When I have tried those approaches, however, I couldn't get then to do what was needed.  Unfortunately, I don't need to send a "message" nor get a response.  All I need to transmit is a simple ARP BROADCAST to all devices, sending a "Who has" command, to elicit responses to refresh the arp cache.

    The byte string I referenced in my post is (I believe) the exact and ONLY contents of the packet, thus I need to access a pure raw message method (unless there is a .NET way of sending this plain ARP broadcast).

    All the suggested methods I've tried just construct an IP message with headers and checksums and all the rest, none of which can be a part of this BROADCAST message approach.

    I'm still seeking a message method that lets me send the exact string I have posted.   :-)


    Ken Burkhalter

    Wednesday, July 03, 2013 12:30 AM
  • Thanks Thinker -

    Your suggested solution is pretty much what I have been finding over the past weeks.  When I have tried those approaches, however, I couldn't get then to do what was needed.  Unfortunately, I don't need to send a "message" nor get a response.  All I need to transmit is a simple ARP BROADCAST to all devices, sending a "Who has" command, to elicit responses to refresh the arp cache.

    The byte string I referenced in my post is (I believe) the exact and ONLY contents of the packet, thus I need to access a pure raw message method (unless there is a .NET way of sending this plain ARP broadcast).

    All the suggested methods I've tried just construct an IP message with headers and checksums and all the rest, none of which can be a part of this BROADCAST message approach.

    I'm still seeking a message method that lets me send the exact string I have posted.   :-)


    Ken Burkhalter

    A broadcast is essentially sending the broadcast address 255.255.255.255 or if subnetted then you go off the subnetted broadcast address. In a subnet if your gateway is 192.168.1.1 and you have a subnet of 255.255.255.0 then your broadcast address is 192.168.1.255 or 192.168.1.254.  This is one form of subnetting. each dot in the subnet indicates how many numbers are changeable in the subnet. For instance, notice above I could only change the last number because their was all 255's in the other parts of the address except the last one?


    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr



    • Edited by The Thinker Wednesday, July 03, 2013 1:32 AM edit 4
    Wednesday, July 03, 2013 1:30 AM
  • Maybe you could just ping everything on your LAN? Wouldn't that update everything?

    Option Strict On
    
    Imports System.Net.NetworkInformation
    
    Public Class Form1
    
        Dim PingNet As New Ping
    
        Dim TimerOnOff As Boolean = False
    
        Dim i As Integer = 0
    
        Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
            Me.CenterToScreen()
            Timer1.Interval = 50
        End Sub
    
        Private Sub Form1_FormClosing(sender As Object, e As EventArgs) Handles Me.Closing
            Try
                Timer1.Stop()
            Catch ex As Exception
            End Try
        End Sub
    
        Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
            If TimerOnOff = False Then
                Timer1.Start()
                TimerOnOff = True
            ElseIf TimerOnOff = True Then
                Timer1.Stop()
                TimerOnOff = False
            End If
        End Sub
    
        Private Sub Timer1_Tick(sender As Object, e As EventArgs) Handles Timer1.Tick
            i += 1
            If i = 255 Then i = 0 : Timer1.Stop()
            Try
                Me.Text = PingNet.Send("192.168.0." & i.ToString).Status.ToString
            Catch ex As Exception
            End Try
        End Sub
    
    End Class


    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8

    Wednesday, July 03, 2013 2:48 AM
  • I also found these links

    http://www.winsocketdotnetworkprogramming.com/clientserversocketnetworkcommunication8chap.html

    http://www.winsocketdotnetworkprogramming.com/clientserversocketnetworkcommunication8n.html


    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8

    Wednesday, July 03, 2013 3:35 AM
  • Although from this WireShark link http://wiki.wireshark.org/RARP it sounds like instead of sending an IP packet perhaps you should be sending an Ethernet frame?

    http://www.codeproject.com/Articles/5292/Raw-Ethernet-Packet-Sending


    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8

    Wednesday, July 03, 2013 3:50 AM
  • This is an extremely crude example that hopefully will get you on the right path. Note the comments

        Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
            Dim RecvBufferSize As Integer = 255 ' You will have to figure this out
            Dim SendData() As Byte = {&HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HF4, &H6D, &H4, &HEF, &HE1, &H6, &H8, &H6, &H0, &H1, &H8, &H0, &H0, &H1, &HF4, &H6D, &H4, &HEF, &HE1, &H6, &HC0, &HA8, &H1, &H5A, &H88, &H53, &H95, &H86, &HA0, &H1F, &H0, &H0, &H0, &H0}
            Dim RecvData(RecvBufferSize) As Byte
            Dim address As IPAddress = IPAddress.Parse("192.168.1.255")
            Dim TargetPort As Integer = 4000 ' You will have to figure this out 
    
            Dim IPEndPoint As IPEndPoint = New IPEndPoint(address, TargetPort)
    
            Dim socket = New Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Tcp) ' You will have to figure this out also
            'There are choices for AddressFamily, SocketType, and ProtocolType
    
            socket.Connect(IPEndPoint)
            socket.Send(SendData)
            socket.Receive(RecvData)
            socket.Close()
        End Sub
    

    Wednesday, July 03, 2013 4:40 AM
  • Thinker -

    The problem isn't with the "broadcast" effort it is with the other aspects of the method.  Network stream is what I am using to send messages ONCE I KNOW the IP address of the target device.

    As explained in my initial post, I DON'T know the IP address of the target.  That, in fact, is what I am trying to determine.  All I have is the target MAC  address.  I'm trying to get the IP by doing a reverse lookup from the MAC in the arp cache.  Just broadcasting to the net, or subnet, doesn't help me as I'm not trying to send a message to everyone but only to get the arp cache updated with the specific device again, after it has timed out.

    It isn't device communications, per se, I want but I want for the device to respond to a "Who has" query from a spoofed arp send. (I've no guarantee that this will work since the arp system isn't really sending the message out so it may not know what to do with a response!?, but this is the only way I have thought of to get the device IP/MAC repopulated in the arp cache)

    All of the networkstream sockets manage the IP packet header/checksum/etc) info BUT the ARP BROADCAST WHO HAS message is a different format.

    Here is more detail on what I am trying to send . . .

    ff ff ff ff ff ff|f4 6d 04 ef e1 06|08 06|00 01|08 00|00 01|f4 6d 04 ef e1 06|c0 a8 01 5a|88 53 95 86 a0 1f|00 00 00 00

     broadcast        sending adpt MAC   ARP HdwTyp Proto OpCod  sending adp MAC   sndr IP      target MAC        uknw IP        Ethnet  IP   REQ

    With "|" markers between each functional byte subset.

    Note the 3rd to 6th subsets "|08 06 | 00 01 | 08 00 | 00 01|

    These are what makes this an arp who has broadcast (which causes the targeted device to respond).  They define, in order: this as an ARP message; over ethernet; using IP protocol; and it is a REG operation.

    These are the bytes I can't find a way to manage using normal netstream methods.

    Also, this message needs to be targeted to a specific device, and remember I don't have its IP address, only its MAC.  The last two fields in the ARP REQ message are for the MAC and IP addresses respectively.  Again I am making an assumption here that either of those fields can be used.  Normally the MAC is all zeros and the IP is used.  Once I can send the raw message I'm striving to do, then I can verify if I can make the IP field zeroes with the MAC populated.  I'm hoping that will work also, but have not been able to find info verifying that, so going to just have to test to see if it works.

    Hope that clears up what I am attempting. The key, I think, is being able to send the EXACT packet contents I've shown, without any other added contents.


    Ken Burkhalter

    Wednesday, July 03, 2013 11:47 AM
  • Pinging everything on the LAn does indeed cause the arp cache to get updated, but I'd rather not clutter LAN traffic (since my intent is to create a general purpose program that can be used by others under unknown conditions).

    I'm trying to find a cleaner approach, but thanks for the idea.  Been there, tried that.  :-)


    Ken Burkhalter

    Wednesday, July 03, 2013 11:52 AM
  • MonkeyBoy -

    Much thanks.  You are trying hard, and I much appreciate your efforts.  In fact I must say that this forum is by far the most responsive of any I have been on trying to find an answer.  Y'all do a great job of being responsive.  :-)    :-)

    I had previously looked at the codeproject raw ethernet-packet-sending article, but didn't try that method as I'm concerned that its "Next Layer Protocol" field is "08 00" for IP, whereas I need "08 06" for ARP protocol.  Thus I fear it will not work.

    Also this approach requires the user installing a NDIS driver, and I'm trying to create a program that can be used by non-techy people who may have issues trying to do that.

    Keep thinking though.  You're covering much of the same ground I've already been down, but you may find a path branch that I missed, that does the trick!   :-)


    Ken Burkhalter

    Wednesday, July 03, 2013 12:09 PM
  • Devon-

    Thanks.

    I've tried this approach and couldn't get it functional because I don't know the target device IP address.  That is what I'm trying to get!

    Looking at the wireshark traces on this approach shows that the message is not sent as an ARP Next Layer Protocol.

    BUT.  That all said, your suggestion has merit and I will try a test program to see if I can take it further.  Will report back.

    Again let me state that I'm not trying to send a message here (I'm already doing that fine, once I know the target IP address).  I'm trying to transmit a ARP REQ command over the LAN to cause a MAC address identified device to respond to the ARP.


    Ken Burkhalter


    • Edited by theGadgetGuy Wednesday, July 03, 2013 12:19 PM add additional content
    Wednesday, July 03, 2013 12:15 PM
  • Ken,

    The Internet World has changed since 1998.

    There are many spying and they take all kind of approaches. Also there are many who want to harm others.

    As spying is almost legalised and we can wait hacking is too, there has to be done things to prevent that. It has lead that many ways of using Internet are protected by virus scanners and firewalls.

    Don't think that a high level program languages (means not direct connected to the bios) like VB can do what you want. Even if you succeed you are in fact only calling low level API's.

    So if you want this find the API's not try it direct with VB especially not with framework 4.5.

     


    Success
    Cor

    Wednesday, July 03, 2013 12:30 PM
  • What you need on your LAN is a DNS server that is integrated with the DHCP server.  Then you can reference a device by name instead of address.


    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein

    Wednesday, July 03, 2013 12:55 PM
  • Devon-

    Thanks.

    I've tried this approach and couldn't get it functional because I don't know the target device IP address.  That is what I'm trying to get!

    Looking at the wireshark traces on this approach shows that the message is not sent as an ARP Next Layer Protocol.

    BUT.  That all said, your suggestion has merit and I will try a test program to see if I can take it further.  Will report back.

    Again let me state that I'm not trying to send a message here (I'm already doing that fine, once I know the target IP address).  I'm trying to transmit a ARP REQ command over the LAN to cause a MAC address identified device to respond to the ARP.


    Ken Burkhalter


    It looks like you will have to go into unmanaged code which is what I was starting to become afraid of like cor said. You could also try and get the arp command line utility to perform your task. Iam afraid though that the arp protocol request is kernel level and cannot be called directly from vb.net (some operations do require a kernel level component to perform this is done on purpose by microsoft). The wdk guys were a tremendous help on my project in which I had to use dsf which does have a kernel level component installed if you get really stuck they know driver hardware inside and out and can explain what you need. Monkeyboys suggestion of ethernet frames (maybe).   You cannot send ip packets at that point because you do not know the ip address of the device. Heres a thread on cisco where they discuss how its low on the osi model and anything lower then level 4 on the osi model needs some kernel level component or wrapper to kernel level components. I was taught using cisco net academy. At the low level of the osi model you are dealing more with device drivers and less with vb.net application and with direct device communication. Heres the cisco link: https://learningnetwork.cisco.com/thread/36117

    Edit: flooding the network in enterprise is bad idea as suggested by reed please ignore earlier comments!


    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr






    • Edited by The Thinker Wednesday, July 03, 2013 11:53 PM edit 2
    Wednesday, July 03, 2013 12:58 PM
  • Before you spend your time trying to send a packet to the directed broadcast address(e.g. for 192.168.1.0 /24 that would be 192.168.1.255) try it from the command prompt?  Many (all?) windows machines don't respond to these.

    The only possible way to do exactly what you want is to send an Inverse or Reverse ARP request.  Except for what I said in my previous post, these are the only ways that a device knowing the Layer 2 address can ascertain the Layer 3 address.  Don't be surprised if that is also disabled.

    As has already been pointed out you can send a ping to each device on your network and then examine your arp.

    You could also try nailing up IP addresses to MAC addresses in DHCP. 

    edit:  Perhaps Cor(welcome back BTW) was alluding to the fact that this reeks of hacking. 


    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein



    • Edited by dbasnett Wednesday, July 03, 2013 1:33 PM fffffffffffffffffffffffddddddddddddd
    Wednesday, July 03, 2013 1:18 PM
  • Devon-

    Thanks.

    I've tried this approach and couldn't get it functional because I don't know the target device IP address.  That is what I'm trying to get!

    Looking at the wireshark traces on this approach shows that the message is not sent as an ARP Next Layer Protocol.

    BUT.  That all said, your suggestion has merit and I will try a test program to see if I can take it further.  Will report back.

    Again let me state that I'm not trying to send a message here (I'm already doing that fine, once I know the target IP address).  I'm trying to transmit a ARP REQ command over the LAN to cause a MAC address identified device to respond to the ARP.


    Ken Burkhalter



    It looks like you will have to go into unmanaged code which is what I was starting to become afraid of like cor said. You could also try and get the arp command line utility to perform your task. Iam afraid though that the arp protocol request is kernel level and cannot be called directly from vb.net (some operations do require a kernel level component to perform this is done on purpose by microsoft). The wdk guys were a tremendous help on my project in which I had to use dsf which does have a kernel level component installed if you get really stuck they know driver hardware inside and out and can explain what you need. Monkeyboys suggestion of ethernet frames (maybe) or flooding the network sounds closer to what you want. You cannot send ip packets at that point because you do not know the ip address of the device. Heres a thread on cisco where they discuss how its low on the osi model and anything lower then level 4 on the osi model needs some kernel level component or wrapper to kernel level components. I was taught using cisco net academy. At the low level of the osi model you are dealing more with device drivers and less with vb.net application and with direct device communication. Heres the cisco link: https://learningnetwork.cisco.com/thread/36117

    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr





    You could also use sendarp windows api with some knowledge but looks like someone has a similar question OP at stackoverflow that might help you out: http://stackoverflow.com/questions/13635414/arp-requests-in-managed-code

    Looks like arp does send a fair amount of packets on the network to perform its duties. Heres a better description of all the arp available commands from windows api if you cannot combine them together to produce desired output you might have to go into c/c++ programming: http://www.codeguru.com/cpp/i-n/internet/internetprotocolip/article.php/c6153/How-to-Get-an-ARP-Table-with-an-IP-Helper-API.htm


    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr

    Wednesday, July 03, 2013 1:46 PM
  • I was getting ready to suggest something like this above or edit one of my posts above to include this but the guy in this forum suggests to find the ip address you need to ping the broadcast address on your ip subnet and then dump the arp table with arp -a. http://superuser.com/questions/29640/inverse-arp-lookup


    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr


    • Edited by The Thinker Wednesday, July 03, 2013 2:01 PM edit 2
    Wednesday, July 03, 2013 2:01 PM
  • OMG!

    You are all so incredibly helpful.  Again BY FAR, this is the most responsive forum I have ever found.

    I about jumped out of my skin thinking that the solution could be as easy as pinging 192.168.1.255 then reading the arp cache.

    Unfortunately, it does not seem to work.  If I delete the dvc arp cache entry and then ping broadcast, the cache does not seem to get updated.  If I ping the dvc IP then the cache is updated.

    Looks like the general broadcast is ignored by a sleeping iPhone (which is what I am trying to find). Traffic tracing reveals that everyone BUT the iPhone respond to the broadcast ping.  Sigh!  :-(

    The iPhone is certainly a sometimes strange device with a mind of its own!

    The iPhone won't respond to pings if it is asleep, but at least it does interact with the arp cache and updates the cache within seconds.

    Looks like my only hope then is to bite the bullet and For i = 1 to 255 ping the subnet.

    That seems to work.

    Thank you all ever so much for helping me at least discover what needs to be done.

    Darn!  The ping 192.168.1.255 would have been so sweet, had it worked. :-(


    Ken Burkhalter

    Wednesday, July 03, 2013 2:41 PM
  • I was getting ready to suggest something like this above or edit one of my posts above to include this but the guy in this forum suggests to find the ip address you need to ping the broadcast address on your ip subnet and then dump the arp table with arp -a. http://superuser.com/questions/29640/inverse-arp-lookup


    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr


    I hope that the OP tries pinging the directed broadcast from the command prompt before trying it in code.  As I pointed out many things that used to work no longer do.  It is not unusual in companies and government for PC's not to reply to pings or unsolicited request of any kind.

    Imagine that I was a hacker and I was able to learn your MAC address and with it your IP address.  I could then program my NIC in such a way that I would see your responses and send packets that looked like they came from you.


    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein

    Wednesday, July 03, 2013 2:49 PM
  • Monkeyboys suggestion of ethernet frames (maybe) or flooding the network sounds closer to what you want.


    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr

    Actually "flooding" isn't true I don't believe.

    I have a 54mbps network and sending pings is slow so at any given point, looping and sending pings, there is only one ping on the network during 1 second pretty much. And that ping is 42 bytes (336 bits) which is 6.2222222222222222222222222222222e-4% of the bandwidth of my network.

    Even if I could send 1000 pings at the same instant that would represent only .62% of my bandwidth.

    The real issue is figuring out how to send all of the pings at once instead of looping to do it. Which I suppose could possibly be done by placing each ping on a separate thread, maybe, but I haven't tried it yet.


    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8

    Wednesday, July 03, 2013 3:44 PM
  • I downloaded Ping Sweeper from this Blog (which took a couple of seconds), unzipped it and opened it in VS 2012 where it upgraded with no problemo.

    Then I set it to free threading. It took 2.84 seconds to ping my entire subnet. Of course there were only two responses though.

    I then set it to Threadpool of 100 and it took about 30 seconds to ping my entire subnet.


    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8


    Wednesday, July 03, 2013 6:34 PM
  • Actually the length you are seeing is the data.  The actual minimum size packet is 64 bytes FWIW.

    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein

    Wednesday, July 03, 2013 7:01 PM
  • Actually the length you are seeing is the data.  The actual minimum size packet is 64 bytes FWIW.

    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein


    O.K. A rather miniscule amount of data on a 54mbps network. Tks for the info though.

    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8


    Wednesday, July 03, 2013 7:06 PM
  • If this is a personal network with fairly static devices why not assign specific IP addresses to each devices MAC address via DHCP?

    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein

    Wednesday, July 03, 2013 7:30 PM
  • Gotcha, so you really do have to construct a packet with the correct MAC address. I don't know enough about this to even know if ethernet packets have to have an IP address also, but I'd guess that they do. I'll do some research as time permits and report anything interesting I find.

    Wednesday, July 03, 2013 9:43 PM
  • An Ethernet packet running some other protocol would not have an IP address.

    This thread is disturbing to me because of the potential for abuse.  The OP has not stated a legitimate, IMHO, reason for wanting to do what they are suggesting.


    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein

    Wednesday, July 03, 2013 10:24 PM
  • Hi everyone,

    I see there has been a lot of effort to assist Ken here, and that is appreciated not only by him as he expressed, but by the rest of the community as well.  So while I don't want to end the thread before Ken is satisfied with it, there are a couple of thing that need to be addressed from a moderation point of view.

    First to Ken:

    This thread may actually be off-topic for this forum based on the direction it has traveled.  I think answer to the definite VB part revolves around question #2, in that you've learned that high-level languages such as VB are not supposed to interact with the system at that level, and you need a special driver to make it happen.  Beyond that, the discussion kind of leaves the realm of VB.Net.

    There's also the issue pointed out by Cor that we are walking a tricky line here.  While it would seem that you truly intended to use this knowledge for legitimate purposes, the thread lives in a public forum optimized for web searches.  Anything posted here can quickly end up in the hands of anyone, anywhere, with any intent.  Unfortunately the process you are trying to unravel can be used with malicious intent to cause harm to systems, and I think that may contribute to the lack of information you've found.  And it must also limit the amount of information which we can provide going forward.

    So here's what our next step needs to be... a quick discussion about DNS.  Please tell us why DNS cannot be used when it is the correct solution for exactly this issue from a network management point of view.

    Second to MrMonkeyBoy:

    In this thread you made a couple of posts which attempt to justify using a ping-sweep and argued the semantics of the term flooding.  Please do not pull a thread off-topic in such a way; it clutters the thread and is against the terms of use for the forums.  If you disagree over a side point, start a new discussion thread in an appropriate forum (including off-topic forum).

    In this case, the others are completely correct in that a ping-sweep cannot be done in a periodic manner.  You cannot compare your home network to an enterprise (or even small business) environment.  Its like comparing a paper airplane to a 747.  Ken clearing indicated that his software is intended for a broad audience so he can't to anything which might be disruptive to his customer's network.

    While a well designed network could probably handle a periodic ping sweep, it is likely that its protection systems would generate alerts after more than one sweep in a specified time limit (or perhaps even as the very first one begins).  A poorly designed network, or overburdened one, could be brought to its knees by a periodic ping sweep.

    So please be careful to keep your contributions on-topic and related to your own expertise.


    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    Wednesday, July 03, 2013 11:35 PM
  • Just for the record, I brought this to the moderators attention, not Cor.  Reed's response may have led some of you to arrive at that conclusion.

    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein

    Wednesday, July 03, 2013 11:44 PM
  • Hi everyone,

    I see there has been a lot of effort to assist Ken here, and that is appreciated not only by him as he expressed, but by the rest of the community as well.  So while I don't want to end the thread before Ken is satisfied with it, there are a couple of thing that need to be addressed from a moderation point of view.

    First to Ken:

    This thread may actually be off-topic for this forum based on the direction it has traveled.  I think answer to the definite VB part revolves around question #2, in that you've learned that high-level languages such as VB are not supposed to interact with the system at that level, and you need a special driver to make it happen.  Beyond that, the discussion kind of leaves the realm of VB.Net.

    There's also the issue pointed out by Cor that we are walking a tricky line here.  While it would seem that you truly intended to use this knowledge for legitimate purposes, the thread lives in a public forum optimized for web searches.  Anything posted here can quickly end up in the hands of anyone, anywhere, with any intent.  Unfortunately the process you are trying to unravel can be used with malicious intent to cause harm to systems, and I think that may contribute to the lack of information you've found.  And it must also limit the amount of information which we can provide going forward.

    So here's what our next step needs to be... a quick discussion about DNS.  Please tell us why DNS cannot be used when it is the correct solution for exactly this issue from a network management point of view.

    Second to MrMonkeyBoy:

    In this thread you made a couple of posts which attempt to justify using a ping-sweep and argued the semantics of the term flooding.  Please do not pull a thread off-topic in such a way; it clutters the thread and is against the terms of use for the forums.  If you disagree over a side point, start a new discussion thread in an appropriate forum (including off-topic forum).

    In this case, the others are completely correct in that a ping-sweep cannot be done in a periodic manner.  You cannot compare your home network to an enterprise (or even small business) environment.  Its like comparing a paper airplane to a 747.  Ken clearing indicated that his software is intended for a broad audience so he can't to anything which might be disruptive to his customer's network.

    While a well designed network could probably handle a periodic ping sweep, it is likely that its protection systems would generate alerts after more than one sweep in a specified time limit (or perhaps even as the very first one begins).  A poorly designed network, or overburdened one, could be brought to its knees by a periodic ping sweep.

    So please be careful to keep your contributions on-topic and related to your own expertise.


    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    Reed that explains everything in a nutshell. Monkeyboy sorry for any confusion looks like reed made everything from a understandable point. Also, I will edit my post above where I said flooding because I do not think that was proper terminology for your response and is not viable in an enterprise environment because of firewalls. OP I think you might have to create a special driver or have unmanaged code to avoid the arp command and use code from directly inside of vb.net. The codeguru article does have a flush arp command if you want to try to use it too at some point. I think this is starting as reed said to go into more of a driver discussion especially if it is meant to work well in an enterprise environment. because of DDOS (distributed denial of service) attack what reed says could be done on daisy chained servers with less memory then before because the attack is spread across them all but that could easily be computers. So I know you have good intent OP but their is only so much we can reveal on this forum. Iam glad we all could help. Iam doing a lot of device work right now with emulation if you want help but realize that sometimes I prefer not to show my code and package it in a dll to prevent malicious intent and so no one will use it in an exploit. Edit: heres the wdk forum link: http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=wdk

    if they think your post could have malicious intent then it probably did not sit well with them either and they will probably lock the thread. Just tell them what you are trying to do and they will give you possible solutions from the driver level that allow more raw control. They also know windows apis inside and out.


    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth. - "Sherlock holmes" "speak softly and carry a big stick" - theodore roosevelt. Fear leads to anger, anger leads to hate, hate leads to suffering - Yoda. Blog - http://www.computerprofessions.co.nr





    • Edited by The Thinker Wednesday, July 03, 2013 11:59 PM eidt 4
    Wednesday, July 03, 2013 11:45 PM
  • Little experimenting here

    Made a quick pinger and tried a few things:
    Run arp:
    C:\Windows\System32>arp -a

    Interface: 192.168.1.30 --- 0xa
      Internet Address      Physical Address      Type
      192.168.1.1           XX-XX-XX-XX-XX-10     dynamic
      192.168.1.50          XX-XX-XX-XX-XX-a5     dynamic
      192.168.1.75          XX-XX-XX-XX-XX-69     dynamic
      192.168.1.211         XX-XX-XX-XX-XX-f3     dynamic
      192.168.1.214         XX-XX-XX-XX-XX-df     dynamic
      192.168.1.255         XX-XX-XX-XX-XX-ff     static
      224.0.0.22            XX-XX-XX-XX-XX-16     static
      224.0.0.252           XX-XX-XX-XX-XX-fc     static
      239.255.255.250       XX-XX-XX-XX-XX-fa     static
      255.255.255.255       XX-XX-XX-XX-XX-ff     static

    Run Pinger (1-254)

    C:\Windows\System32>arp -a
    Interface: 192.168.1.30 --- 0xa
    Internet Address      Physical Address      Type
    192.168.1.1           XX-XX-XX-XX-XX-10     dynamic
    192.168.1.2           XX-XX-XX-XX-XX-01     dynamic
    192.168.1.4           XX-XX-XX-XX-XX-81     dynamic
    192.168.1.10          XX-XX-XX-XX-XX-d2     dynamic
    192.168.1.40          XX-XX-XX-XX-XX-91     dynamic
    192.168.1.50          XX-XX-XX-XX-XX-a5     dynamic
    192.168.1.75          XX-XX-XX-XX-XX-69     dynamic
    192.168.1.211         XX-XX-XX-XX-XX-f3     dynamic
    192.168.1.255         XX-XX-XX-XX-XX-ff     static
    224.0.0.22            XX-XX-XX-XX-XX-16     static
    224.0.0.252           XX-XX-XX-XX-XX-fc     static
    239.255.255.250       XX-XX-XX-XX-XX-fa     static 
    255.255.255.255       XX-XX-XX-XX-XX-ff     static 

    C:\Windows\system32>netsh interface ip delete arpcache                                                      
    Ok.                                                   
    C:\Windows\system32>arp -a                            
    Interface: 192.168.1.30 --- 0xa                       
      Internet Address      Physical Address      Type
      192.168.1.1           XX-XX-XX-XX-XX-10     dynamic

    Run Pinger Program (.255 only)
    C:\Windows\System32>arp -a
    Interface: 192.168.1.30 --- 0xa
      Internet Address      Physical Address      Type
      192.168.1.1           XX-XX-XX-XX-XX-10     dynamic
      192.168.1.2           XX-XX-XX-XX-XX-01     dynamic
      192.168.1.40          XX-XX-XX-XX-XX-91     dynamic
      192.168.1.75          XX-XX-XX-XX-XX-69     dynamic
      192.168.1.255         XX-XX-XX-XX-XX-ff     static
      239.255.255.250       XX-XX-XX-XX-XX-fa     static
      255.255.255.255       XX-XX-XX-XX-XX-ff     static

    Thursday, July 04, 2013 12:15 AM
  • Hi everyone,

    I see there has been a lot of effort to assist Ken here, and that is appreciated not only by him as he expressed, but by the rest of the community as well.  So while I don't want to end the thread before Ken is satisfied with it, there are a couple of thing that need to be addressed from a moderation point of view.

    First to Ken:

    This thread may actually be off-topic for this forum based on the direction it has traveled.  I think answer to the definite VB part revolves around question #2, in that you've learned that high-level languages such as VB are not supposed to interact with the system at that level, and you need a special driver to make it happen.  Beyond that, the discussion kind of leaves the realm of VB.Net.

    There's also the issue pointed out by Cor that we are walking a tricky line here.  While it would seem that you truly intended to use this knowledge for legitimate purposes, the thread lives in a public forum optimized for web searches.  Anything posted here can quickly end up in the hands of anyone, anywhere, with any intent.  Unfortunately the process you are trying to unravel can be used with malicious intent to cause harm to systems, and I think that may contribute to the lack of information you've found.  And it must also limit the amount of information which we can provide going forward.

    So here's what our next step needs to be... a quick discussion about DNS.  Please tell us why DNS cannot be used when it is the correct solution for exactly this issue from a network management point of view.

    Second to MrMonkeyBoy:

    In this thread you made a couple of posts which attempt to justify using a ping-sweep and argued the semantics of the term flooding.  Please do not pull a thread off-topic in such a way; it clutters the thread and is against the terms of use for the forums.  If you disagree over a side point, start a new discussion thread in an appropriate forum (including off-topic forum).

    In this case, the others are completely correct in that a ping-sweep cannot be done in a periodic manner.  You cannot compare your home network to an enterprise (or even small business) environment.  Its like comparing a paper airplane to a 747.  Ken clearing indicated that his software is intended for a broad audience so he can't to anything which might be disruptive to his customer's network.

    While a well designed network could probably handle a periodic ping sweep, it is likely that its protection systems would generate alerts after more than one sweep in a specified time limit (or perhaps even as the very first one begins).  A poorly designed network, or overburdened one, could be brought to its knees by a periodic ping sweep.

    So please be careful to keep your contributions on-topic and related to your own expertise.


    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    "I am attempting to programmatically determine if a specific device is attached to my LAN" doesn't sound to me like " Ken clearing indicated that his software is intended for a broad audience".

    I have no "expertise" Reed. Is that against the TOU also? Or do I have to get a Doctorate in computer sciences and 30 years experience to create my expertise in order to post anything here?

    Also I never attempted to "justify" anything. I merely pointed out the fact that the network would not be flooded using pings regarding the use of them as a possible solution for this thread. Please don't make mountains out of molehills ("A poorly designed network, or overburdened one, could be brought to its knees by a periodic ping sweep").

    I've worked on a HUGE amount of networks in my life. Everything from sipernet and a plethora of others in the military to numerous small and large satellite networks and customer site networks in the civilian world, all over the world, and never has any network ever come to it's knees doing a "ping sweep". So I do have experience about that particular issue. If you actually believe that you have more experience in that arena I strongly disagree.

    But thanks for your attention on the matter! :)

    And have a happy 4th of July if that's celebrated where you come from.


    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8




    Thursday, July 04, 2013 12:52 AM
  • WOW!

    Amazing and informative thread, but I understand Reed's concerns.  Didn't realize I was opening such a can of worms when I posted the question.  Mea culpa.  Sorry 'bout that.

    I thought I was just stumped by what should have been a simple task.  At least I've learned that I was stumped for good reasons!!! :-)

    After all this, I threw in the towel and decided to write to file the last known good IP address for the iPhone, and use that to ping the device and then check the arp cache, whenever my first arp cache read attempt fails.

    Very quick, seems reliable, and easy to do.

    Thanks again all.  I consider this issue closed.


    Ken Burkhalter

    Thursday, July 04, 2013 1:06 AM
  • Also I never attempted to "justify" anything. I merely pointed out the fact that the network would not be flooded using pings regarding the use of them as a possible solution for this thread. Please don't make mountains out of molehills ("A poorly designed network, or overburdened one, could be brought to its knees by a periodic ping sweep").

    I've worked on a HUGE amount of networks in my life. Everything from sipernet and a plethora of others in the military to numerous small and large satellite networks and customer site networks in the civilian world, all over the world, and never has any network ever come to it's knees doing a "ping sweep". So I do have experience about that particular issue. If you actually believe that you have more experience in that arena I strongly disagree.


    My apprehension over this thread was because I have managed some very large networks in the government and private sector and have seen application programmers do harm to the network.  If we caught end-users doing anything like a ping sweep / port scan of their subnet or the network as a whole we would block ICMP traffic to/from the end user and have a formal discussion about what they were doing. 

    It is possible to write ping programs and port scanners that aren't a threat to network performance or security, but I have never seen the need UNLESS you were responsible for managing the network.

    "Those who use Application.DoEvents() have no idea what it does and those who know what it does never use it." JohnWein

    Thursday, July 04, 2013 2:47 AM
  • My apprehension over this thread was because I have managed some very large networks in the government and private sector and have seen application programmers do harm to the network.  If we caught end-users doing anything like a ping sweep / port scan of their subnet or the network as a whole we would block ICMP traffic to/from the end user and have a formal discussion about what they were doing. 

    It is possible to write ping programs and port scanners that aren't a threat to network performance or security, but I have never seen the need UNLESS you were responsible for managing the network.

    Beware: I HAVE NO EXPERTISE.

    True. I believe however that the term "my LAN" in the original post and retirement next to the OP's name didn't represent any of those issues.


    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8


    Thursday, July 04, 2013 2:52 AM
  • My apprehension over this thread was because I have managed some very large networks in the government and private sector and have seen application programmers do harm to the network.  If we caught end-users doing anything like a ping sweep / port scan of their subnet or the network as a whole we would block ICMP traffic to/from the end user and have a formal discussion about what they were doing. 

    It is possible to write ping programs and port scanners that aren't a threat to network performance or security, but I have never seen the need UNLESS you were responsible for managing the network.

    Beware: I HAVE NO EXPERTISE.

    True. I believe however that the term "my LAN" in the original post and retirement next to the OP's name didn't represent any of those issues.


    You've taught me everything I know but not everything you know. _________________________________________________________________________________________________________________ This search engine is for MSDN Library and has many features. http://social.msdn.microsoft.com/Search/en-US?query=search%20msdn%20library&beta=0&ac=8



    "

    Pinging everything on the LAn does indeed cause the arp cache to get updated, but I'd rather not clutter LAN traffic (since my intent is to create a general purpose program that can be used by others under unknown conditions).

    I'm trying to find a cleaner approach, but thanks for the idea.  Been there, tried that.  :-)


    Ken Burkhalter"


    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    Thursday, July 04, 2013 3:03 AM