I've always been fond of arpwatch. Arpwatch keeps a simple database of MAC addresses and IP addresses associated with them. It sends e-mail notifications when a new device appears on the network and when the MAC address associated with an IP address changes. This tool does not require anything special and can alert you to new computers on your network, users changing IP addresses, and duplicate IP addresses. It is better than pinging all hosts because it is passive (no need to alert someone you are looking for them), and you don't rely on a response to an ICMP echo (when the host may not respond to them). This, however, will not detect someone who connects to your network without a bound IP address for the purpose of sniffing the network. However, in a switched network environment they should not get much useful information anyway. In addition, as stated by White-Tiger, you can use your managed switches to watch for new links.
Arpwatch is distributed with RedHat Linux and probably other flavors as well. Useful Link: http://www.securityfocus.com/tools/142 -- Tony Kava Network Administrator Pottawattamie County, Iowa -----Original Message----- From: White-Tiger [mailto:[EMAIL PROTECTED] Sent: Tuesday, 12 August, 2003 00:39 To: Simon; netsec novice; [EMAIL PROTECTED] Subject: RE: Network scanning If you are in a switched network... some switches support snmp traps for link up/down. if port 12 is unused... and you get a trap that is just went UP... the bingo... someone is on. also... you get set it up so that if yoiu have a workstation with a link that goes down/up/down/ or some pattern... your helpdesk can see it... can call to make sure everything is ok... that way you might catch standard user problems before they have to call you. what great customer service :) looks good for you. wt --- Simon <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One thing that you could do is use a tool that would send > an ICMP > packet to all possible addresses in your particular > network. That > won't detect all connecting hosts, in particular if > someone jacks in > to sniff only, but that assumes that your network is hub > based. If > your network is switch based then people will have a hard > time > logging in and sniffing without being detected as they'd > normally > have to ARP poison the switch or do something else that > would be > detectable. > > > So... the simple 99% answer is, ping all possible IP > addresses once, > if you get a response from an address thats not supposed > to be > there... well... then you'll know. > > Also, if you use DHCP then you could watch the DHCP log > for new > systems... thats not super difficult either. > > > > - -----Original Message----- > From: netsec novice [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 07, 2003 1:51 PM > To: [EMAIL PROTECTED] > Subject: Network scanning > > > Are there tools out there that would allow system > administrators to > be > notified when a new workstation attaches to a network? > I'm thinking > both > wireless and ethernet in this case. SNMP maybe? I am in > a credit > union > environment and my concern is that someone would be able > to steal an > existing jack or a jack that is not physically protected > but live and > be > able to capture traffic or do reconaissance. We don't > have Wireless > access > at this point but may look to it in the future. My only > thought in > that > case would be to encrypt all traffic since wireless > security is a bit > scary > at this point. Any ideas? > > _________________________________________________________________ > The new MSN 8: smart spam protection and 2 months FREE* > http://join.msn.com/?page=features/junkmail > > > - > ---------------------------------------------------------------------- > - ----- > - > ---------------------------------------------------------------------- > - ------ > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use > <http://www.pgp.com> > > iQA/AwUBPzc8mLR5YB3MHZrzEQIvJACfb4SAmdXUjJO/IIF8MUlD8ZW7eJoAoNwa > al4RKIPk0+/E12goPnm8nyZD > =RnNW > -----END PGP SIGNATURE----- > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
