Thanks to some lax record keeping by our (ex! 🙂 network manager I'm tasked with finding what QNAP and Synology NAS devices exist in our company. We have several hundred offices scattered across the UK and they are all separate networks and separate domains. They are all Windows based (a mixture of Server 2k3, 2008 and 2012). We run our own home brewed monitoring software that allows me to run any software I want remotely.
QNAPs and Synologies have distinctive MAC addresses, so if I can scan the network for MAC addresses and pipe the output to a file I can easily get the info I need. The question is how to get a list of all MAC addresses on the LAN.
The obvious first step is just to run arp -a, and I'll probably go ahead and do this anyway. However this will only show devices the server has seen within the arp cache timeout. Does anyone know an easy way to get all devices? By easy I mean something built into Windows – I'd prefer not to have to install any software as we're talking about hundreds of different offices. nmap tends to be mentioned on these occasions, but the Windows ports seem to need extra libraries installing. If I have to use an external scanner it would be nice to have an executable that can just be copied onto the server and run.
PS: a quick clarification:
The scanner needs to be a command line app so I can fire it off remotely and have the output go to a file for subsequent parsing. It can't rely on Java since there's no guarantee all servers have Java. I'm fairly certain all servers will have at least .Net 2.0 – I suppose at a pinch I could knock up a quick .Net 2.0 app to ping every possible address on the network and get the MAC address associated with any replies …
Best Answer
The quickest/easiest way is generally to grab the arp tables from your switches (assuming you have managed switches, otherwise, brace yourself for a lot of pain) and filter them based on the MAC addresses assigned to the manufacturer of the network card(s) you're looking for. I tend to use this site to link MACs to vendors and vice versa, but there are certainly others out there.
If your switches aren't managed, so you can't easily pull up the arp tables from a central location, the next best approach is to find a machine on every network segment you can broadcast from and then lookup the local arp table on. Which... is far from ideal, but really the best solution out of a lot of bad options. Rather than doing an interactive logon to all these machines, like you seem to suggest in your question, I'd use some method of getting a remote command line from a central location, like your workstation. WinRM, PowerShell remoting and even PSexec are all relatively easy options to achieve this goal that may or may not be right for you, depending on how your environment's set up.
Oh, and let me add, rather than pinging every address, or writing an app to do so, it would be faster to just hit the broadcast address for each of your subnets or the global braodcast address, if this is the route you end up going. (The broadcast address is the address with
.255in the last octet, and the global broadcast address is255.255.255.255.)