On 8/5/16 7:19 AM, Lamar Owen wrote:
> On 07/30/2016 06:35 PM, ToddAndMargo wrote:
>> I am looking to do network discovery. Basically, everything
>> on the interface, regardless of what network it belongs to
>> or if even has an ip assigned.  Like AutoScan Network, only
>> not abandoned.
>>
> I have a dedicated install of NetworkSecurityToolkit (NST) on a box 
> connected to two ports on one of our core switches.  One port is the 
> admin port that NST serves its web GUI on; the second port is a 
> capture-only port and connects to a SPAN port on the core switch 
> (Cisco terminology, as it's a Cisco 7609).  I set up the SPAN to 
> redirect traffic for the ports and/or VLANs I'm interested in looking 
> at, and then capture all the traffic (I capture all traffic then 
> filter it out).  Not as clean as some other solutions, but it does get 
> everything.

I got to thinking about this some more and Lamar, you just triggered a 
thought...  There IS a technique used by large organizations.  Cisco 
invented this "thing" called netflow.  On my linux systems I have a 
kernel module called ipt_NETFLOW 
(https://sourceforge.net/projects/ipt-netflow/).  It sends netflow 
(tcp/ip connection) records to a netflow collector.  Windows can export 
netflow too (http://www.flowtraq.com/corporate/product/flow-exporter/).

I use ntop as the collector on Linux and it seems to have versions for 
OS X and windows these days too, but there are many netflow collectors.  
Many are free (solarwinds is common).

This is the big-boy way of doing this.

For full disclosure, I pay my bills supporting one of the proprietary 
netflow collection/analysis tools... No, I won't name the tool.