At one point, the LAN in my office became so full that we actually ran out of IP addresses! This made it very difficult to add new machines to the network -- if anyone requested an IP address, they would be put on a waiting list and given an assignment when an IP address finally became available. But, because of the shortage, few people were ever willing to voluntarily return an IP address to the pool of unallocated addresses when a machine was decomissioned.
The network people tried to recover unused IP addresses by pinging every IP address on our network once every day, and reclaiming any addresses that were idle for more than a month. The hope was that decommissioned machine would have its IP address recycled as soon as the ping program realized that the address was idle. In response, some people tried to hold on to their IP addresses by configuring their machines to use all of them at the same time!
To combat this, I wrote mhsearch, a little Perl program that pings each host on the network and determines the IP-to-MAC address mapping by looking at the kernel's ARP cache. It reports any MAC address responding to more than a single IP address, as shown in this sample run:
CAMB:/home/jelson(441) ./mhsearch.pl 128.231.128.0/23 Scanning IP network 128.231.128.0, mask len 23 (510 hosts + 1 broadcast address) pinging up through 128.231.128.20... pinging up through 128.231.128.40... pinging up through 128.231.128.60... pinging up through 128.231.128.80... [...] pinging up through 128.231.129.244... pinging broadcast address... Duplicates found: 00:80:5f:50:1a:83 is using dcrtcsbdev, livewire-dev 08:00:20:1a:f7:66 is using sunny, nsb 08:00:20:8c:f3:e3 is using sundavid, nextdavid, xray, ultra, fly(In case you're wondering, the network people did finally resolve the IP shortage by switching as many machines as possible to DHCP, and redesigning the network so that our LAN would have a larger block of IP addresses allocated to it.)
Note, this program does *not* scan for IP address collisions (i.e., a single IP address being used by more than one host). It does the opposite: scan for a single host using more than one IP address.
mhsearch does not verify that the given network number and subnet mask length are valid.
There is no guarantee that hosts will remain in the ARP cache in between the time when they are pinged and when the ARP cache is checked. If there is a lot of network activity on the machine during mhsearch's operation, some ARP mappings may be lost.
Of course, mhsearch can only find multihomed hosts on a locally connected datalink network. It cannot scan networks through a router.
Back to my software page
Back to my home page
Jeremy Elson