nanog mailing list archives
Re: Detection of Rogue Access Points
From: Phil Regnauld <regnauld () nsrc org>
Date: Thu, 18 Oct 2012 22:21:57 +0200
Raymond Burkholder (ray) writes:
NetDisco knows how to scan networks for mac addresses, arp addresses, ip addresses, etc. It keeps track of deltas. It may have be able to email deltas or something similar. Or run a query against the database, as I seem to recall it seems to hold historical data.
Yes, NetDisco will do this, and it has query interface for looking up MAC <-> associations, and where they were last seen. Netdot (netdot.uoregon.edu, just mentioned it in an earlier mail) also offers this functionality, and stores the information in the database for querying/searching. Jonathan Rogers (quantumfoam) writes:
I, uh...don't actually know how to do that. I've not done very much with SNMP other than working with power management devices. If someone could direct me to a good tutorial, that would be much appreciated.
It's probably easier to use one of the tools mentioned than to start writing your own. To do that, you'd have to retrieve the L2 forwarding table from switches, and the ARP tables from L3 devices. You have to query all active devices regularly and build/update your DB from that. There are tools such as SNMP::Info http://search.cpan.org/~maxb/SNMP-Info-2.01 that make this easier, but still some amount of coding would be required. It's then a matter of querying the DB, and looking for the MAC addresses of suspected rogue devices, if they keep on showing up (you will see many one-times that don't reappear, which also grows the DB significantly over time). Phil
Current thread:
- Re: Detection of Rogue Access Points, (continued)
- Re: Detection of Rogue Access Points David Cantrell (Oct 16)
- Re: Detection of Rogue Access Points Jimmy Hess (Oct 16)
- Re: Detection of Rogue Access Points Roy (Oct 14)
- Re: Detection of Rogue Access Points Jon Sevier (Oct 14)
- Re: Detection of Rogue Access Points Peter Phaal (Oct 14)
- Re: Detection of Rogue Access Points Martin Hepworth (Oct 14)
- Re: Detection of Rogue Access Points John Kristoff (Oct 17)
- Re: Detection of Rogue Access Points Jason Antman (Oct 18)
- Re: Detection of Rogue Access Points Jonathan Rogers (Oct 18)
- RE: Detection of Rogue Access Points Raymond Burkholder (Oct 18)
- Re: Detection of Rogue Access Points Phil Regnauld (Oct 18)
- Re: Detection of Rogue Access Points Jonathan Rogers (Oct 18)
- Re: Detection of Rogue Access Points Jonathan Rogers (Oct 18)
- Re: Detection of Rogue Access Points Joe Hamelin (Oct 18)
- Re: Detection of Rogue Access Points Chris Boot (Oct 20)
- Re: Detection of Rogue Access Points Jonathan Rogers (Oct 18)
- Re: Detection of Rogue Access Points james machado (Oct 18)