On 8/5/16 7:19 AM, Lamar Owen wrote:
On 07/30/2016 06:35 PM, ToddAndMargo wrote:
I am looking to do network discovery. Basically, everything
on the interface, regardless of what network it belongs to
or if even has an ip assigned. Like AutoScan Network, only
not abandoned.
I have a dedicated install of NetworkSecurityToolkit (NST) on a box
connected to two ports on one of our core switches. One port is the
admin port that NST serves its web GUI on; the second port is a
capture-only port and connects to a SPAN port on the core switch
(Cisco terminology, as it's a Cisco 7609). I set up the SPAN to
redirect traffic for the ports and/or VLANs I'm interested in looking
at, and then capture all the traffic (I capture all traffic then
filter it out). Not as clean as some other solutions, but it does get
everything.
I got to thinking about this some more and Lamar, you just triggered a
thought... There IS a technique used by large organizations. Cisco
invented this "thing" called netflow. On my linux systems I have a
kernel module called ipt_NETFLOW
(https://sourceforge.net/projects/ipt-netflow/). It sends netflow
(tcp/ip connection) records to a netflow collector. Windows can export
netflow too (http://www.flowtraq.com/corporate/product/flow-exporter/).
I use ntop as the collector on Linux and it seems to have versions for
OS X and windows these days too, but there are many netflow collectors.
Many are free (solarwinds is common).
This is the big-boy way of doing this.
For full disclosure, I pay my bills supporting one of the proprietary
netflow collection/analysis tools... No, I won't name the tool.
