Re: Detection of Rogue Access Points

[Phil Regnauld <regnauld () nsrc org>]

Raymond Burkholder (ray) writes:
> NetDisco knows how to scan networks for mac addresses, arp addresses, ip
> addresses, etc.  It keeps track of deltas.  It may have be able to email
> deltas or something similar.    Or run a query against the database, as I
> seem to recall it seems to hold historical data.

        Yes, NetDisco will do this, and it has query interface for looking
        up MAC <-> associations, and where they were last seen.

        Netdot (netdot.uoregon.edu, just mentioned it in an earlier mail) also
        offers this functionality, and stores the information in the database for
        querying/searching.

Jonathan Rogers (quantumfoam) writes:
> I, uh...don't actually know how to do that. I've not done very much with
> SNMP other than working with power management devices. If someone could
> direct me to a good tutorial, that would be much appreciated.

        It's probably easier to use one of the tools mentioned than to start
        writing your own. To do that, you'd have to retrieve the L2 
        forwarding table from switches, and the ARP tables from L3 devices.
        You have to query all active devices regularly and build/update your DB
        from that. There are tools such as SNMP::Info
        http://search.cpan.org/~maxb/SNMP-Info-2.01 that make this easier,
        but still some amount of coding would be required.

        It's then a matter of querying the DB, and looking for the MAC addresses
        of suspected rogue devices, if they keep on showing up (you will see many
        one-times that don't reappear, which also grows the DB significantly over
        time).

        Phil