I'm writting a simple network sniffer that should be able to reconstruct network structure.
When an interface has set up a DHCP, I can easily read interface settings such as client IP address, subnet mask, DNS server etc. by catching a DHCP packet and analysing it.
When an interface has a static IP, I'm catching ARP Announcement packet to get static IP address and then ARP request from the gateway, to get geteway IP address. I'm also saving MAC addresses.
My problem is: how to get subnet mask from one or more static IPs in the network and the gateway address. Or by caching some packets. I didn't see packets that could have such informations. I also need DNS address, but it's less important.
Do a bitwise XOR on a pair of IP addresses. The zeroes in the result are where the bits are the same, so the left set of zeroes (ie before the first bit of the result which is a one and therefore is different in the IP addresses) is a candidate subnet mask, but may be too long. NOT that to make the zeros into ones, and AND it with one of the original IP addresses. Then XOR this with the next IP address and again take the left hand zeroes, whcih may be the same or shorter than previously. In the end you will have a mask where all of the IP addresses were identical. I think
AFAIK, the network mask is only announced through DHCP. Your only solution seems to be listening to some packets, and guessing the mask, using the method suggested by @IanC.
