Re: Nmap-based mapping/monitoring tool

[Jake Kallman <jkallman () unr nevada edu>]

To handle the actual slowdown and availability issue, we were planning (at
least for the first implementation) to just ping each machine with one or
2 packets and then read the time off of that.  Its a pretty primitive way
of doing it, but for a one semester project it is enough to prove the
concept anyways.  The idea being, the server runs once on a network to
establish the baseline stats for speed and network map, then on each
subsequent scan it compares the data from the current scan against the
information from previous scans.  If a computer is not there, then it
would report it as an outage, or if the time was significantly higher than
the average time it would report it as a slow connection.

In essence then for each computer on the network it would run a small ping
to test the connection and speed, then it would run nmap to get port
information and OS detection.  Pretty primitive I know, but it would at
least be enough to prove the concept for the class, with later work being
focused on making the process more efficient.

The main problem that we are working on with this model for connection
availability/speed tracking is dhcp.  If a computer changes IPs then it
might not be recognized by the system.  We are working on maybe trying
some solutions based around MAC addresses or intuitive guessing by the
server when it runs the scans, but that might be something we move off to
future work also (its hard trying to fit all this into a one-semester
project).

Jake

On Tue, 9 Mar 2004, Mike Slifcak wrote:

> The one thing I don't see ntop nor nmap being useful is in
> finding network slowdowns or outages, as Jake describes those.
>
> I've seen the utility of MRTG and Cricket, backed by routers
> and switches that can be monitored for these purposes.
>
> I'm willing to be educated, so let me know how you do this.
> -Mike Slifcak
>
>
> Jake Kallman wrote:
> > Thank you all for the very fast responses and great input =)
> >
> > I'll take a look at ntop also.  One thing that I didn't mention in the
> > initial post, and which might be of interest to Bob, is that to ease the
> > load on a central server (and the network on the whole) we were going to
> > make the server script work in a distributed and parallelized manner.
> > Where at the top level of your network you could have a server that just
> > compiles data from lower-tier machines which each run scans on the
> > machines connected to them.  In this way the top level server does not
> > have to run any scans, but rather just get the database files from the
> > lower level machines at the scheduled intervals.  We thought that this
> > would cut down a lot of scan time on larger networks, and also allow some
> > scalability so that as the program was installed on larger networks one
> > machine wouldn't be burdened with the job of handling all the scanning.
> >
> > Not sure if this helps out any, but just an idea I thought I'd throw out
> > there.
> >
> > Jake
> >
> > On Wed, 10 Mar 2004, Craig Humphrey wrote:
> >
> >
> > > Hi Jake,
> > >
> > > you may also want to look at ntop, which monitors a network through sniffing
> > > (rather than active scanning), but integrates nmap to probe hosts.
> > >
> > > There are a few commercial tools out there that do this kind of thing (or
> > > similar, or sub/supersets).
> > > I've used What's Up Gold quite a bit.
> > > Just did a little google and https://freemap.qualys.com/ looks interesting,
> > > and being browser based, there's a certain amount of freedom for the client
> > > end.
> > >
> > > Have fun and keep us in the loop.
> > >
> > > Later'ish
> > > Craig
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jake Kallman [mailto:jkallman () unr nevada edu]
> > > > Sent: Tuesday, March 09, 2004 9:04 PM
> > > > To: nmap-dev () insecure org
> > > > Subject: Nmap-based mapping/monitoring tool
> > > >
> > > >
> > > > I am developing a network monitoring and mapping tool based
> > > > around nmap,
> > > > which will provide a graphical representation of a network
> > > > topology and
> > > > maintain a database of information about computers in that
> > > > network.  In
> > > > essence, it will take the output of namp, run at scheduled
> > > > intervals, and
> > > > compare that data against data from previous runs to try and flag
> > > > potential security and infrastructure problems.
> > > >
> > > > The idea, at a high level is fairly simple, and in fact is a
> > > > little more
> > > > complicated than it needs to be since I'm doing this as a project to
> > > > complete my undergraduate degree in CS.  I'm writing a driver program,
> > > > which will sit on a network server somewhere, and will run nmap at
> > > > scheduled intervals on all computers in the network (which
> > > > I'm going to
> > > > try and optimize somewhat by allowing for multiple nmapping
> > > > servers in the
> > > > network so as to distribute the work as much as possible).  There will
> > > > also be a client application which will allow a user to
> > > > access this data
> > > > remotely (ideally I'm trying to create this client application to
> > > > allow users to log into the server from multiple platforms,
> > > > like PDAs and
> > > > cell phones, which might not be currently available, but when
> > > > I talked to
> > > > some network engineers in my area they said that it would be a great
> > > > feature). The client will access the data from the server program, and
> > > > create a graphical map of the network, showing any potential problem
> > > > areas. Ideally, I want to be able to flag network slowdowns
> > > > and outages,
> > > > newly enabled/disabled ports on machines, newly connected
> > > > machines (with
> > > > an eye toward being able to watch for unauthorized wireless
> > > > connections)
> > > > and things of that nature.
> > > >
> > > > My question is whether or not this seems like a usable idea?
> > > > If not, then
> > > > what seems unfeasible about the design?
> >
> > ---------------------------------------------------------------------
> > For help using this (nmap-dev) mailing list, send a blank email to
> > nmap-dev-help () insecure org . List archive: http://seclists.org
>
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to
> nmap-dev-help () insecure org . List archive: http://seclists.org

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org