On 8/5/16 7:19 AM, Lamar Owen wrote: > On 07/30/2016 06:35 PM, ToddAndMargo wrote: >> I am looking to do network discovery. Basically, everything >> on the interface, regardless of what network it belongs to >> or if even has an ip assigned. Like AutoScan Network, only >> not abandoned. >> > I have a dedicated install of NetworkSecurityToolkit (NST) on a box > connected to two ports on one of our core switches. One port is the > admin port that NST serves its web GUI on; the second port is a > capture-only port and connects to a SPAN port on the core switch > (Cisco terminology, as it's a Cisco 7609). I set up the SPAN to > redirect traffic for the ports and/or VLANs I'm interested in looking > at, and then capture all the traffic (I capture all traffic then > filter it out). Not as clean as some other solutions, but it does get > everything. I got to thinking about this some more and Lamar, you just triggered a thought... There IS a technique used by large organizations. Cisco invented this "thing" called netflow. On my linux systems I have a kernel module called ipt_NETFLOW (https://sourceforge.net/projects/ipt-netflow/). It sends netflow (tcp/ip connection) records to a netflow collector. Windows can export netflow too (http://www.flowtraq.com/corporate/product/flow-exporter/). I use ntop as the collector on Linux and it seems to have versions for OS X and windows these days too, but there are many netflow collectors. Many are free (solarwinds is common). This is the big-boy way of doing this. For full disclosure, I pay my bills supporting one of the proprietary netflow collection/analysis tools... No, I won't name the tool.