Subject: | |
From: | |
Reply To: | |
Date: | Fri, 5 Aug 2016 09:19:01 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 8/5/16 7:19 AM, Lamar Owen wrote:
> On 07/30/2016 06:35 PM, ToddAndMargo wrote:
>> I am looking to do network discovery. Basically, everything
>> on the interface, regardless of what network it belongs to
>> or if even has an ip assigned. Like AutoScan Network, only
>> not abandoned.
>>
> I have a dedicated install of NetworkSecurityToolkit (NST) on a box
> connected to two ports on one of our core switches. One port is the
> admin port that NST serves its web GUI on; the second port is a
> capture-only port and connects to a SPAN port on the core switch
> (Cisco terminology, as it's a Cisco 7609). I set up the SPAN to
> redirect traffic for the ports and/or VLANs I'm interested in looking
> at, and then capture all the traffic (I capture all traffic then
> filter it out). Not as clean as some other solutions, but it does get
> everything.
I got to thinking about this some more and Lamar, you just triggered a
thought... There IS a technique used by large organizations. Cisco
invented this "thing" called netflow. On my linux systems I have a
kernel module called ipt_NETFLOW
(https://sourceforge.net/projects/ipt-netflow/). It sends netflow
(tcp/ip connection) records to a netflow collector. Windows can export
netflow too (http://www.flowtraq.com/corporate/product/flow-exporter/).
I use ntop as the collector on Linux and it seems to have versions for
OS X and windows these days too, but there are many netflow collectors.
Many are free (solarwinds is common).
This is the big-boy way of doing this.
For full disclosure, I pay my bills supporting one of the proprietary
netflow collection/analysis tools... No, I won't name the tool.
|
|
|