Re: Nmap Soc Ideas

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 26 Mar 2009 22:33:13 -0700 or thereabouts Ravipriya Thushara
<rthushara () gmail com> wrote:

> I haven't a good passive sniffer yet.Even if there is a one, I don't
> think it'll generate a XML file
> in Zenmap understandable format.So I think writing a such tool, a
> packet sniffer that can detect
> and understand network topology and write it to a XML file Zenmap can
> understand. Then it
> will be a good idea. It'll be a separate tool and can help Zenmap in
> discovering network topologies.
> As it'll be an external and separate tool from Nmap, it'll be easy to
> develop. I'm waiting to hear from
> you my  idea

It can be really difficult to map out an accurate representation of a
network's topology from just a single vantage point.

- From most points the world looks flat.  Sniffing on an edge VLAN is
really only going to tell you about the local hosts.  Even then, in a
switched network you're likely to only see IGMP, ARP, STP, BootP/DHCP,
broadcast, and multicast traffic.

If you were to sniff at a peering point you'd certainly see a lot of
traffic but understanding how those hosts are interconnected would
still be very hard.  Passively observing routing protocols like OSPF
and BGP would reveal some of the structure of the network but wouldn't
tell you much about the end-hosts.

You might think about leveraging a combination of protocols such as
CDP, SNMP, and NetFlow to construct a network map and general usage.
This, of course, would be active probing and not passive sniffing.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEARECAAYFAknMZ+UACgkQqaGPzAsl94KjQwCghVlxhGqHW+Ybt1KQBF/cnTbM
D8wAn0Giq9ubI46cAJdNxyZdHX83gzzt
=B5Rr
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org