RE: generating a network map

From: Alex Arndt (aarndt@rogers.com)
Date: Sun Jun 19 2005 - 11:51:28 EDT

• Next message: Javier Blanque: "Re: generating a network map"
• Previous message: Steve Goldsby (ICS): "RE: generating a network map"
• In reply to: Talha: "generating a network map"
• Next in thread: Javier Blanque: "Re: generating a network map"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Comments in-line below...

> -----Original Message-----
> From: Talha [mailto:tt83x@yahoo.com]
> Sent: June 18, 2005 1:31 AM
> To: pen-test@securityfocus.com
> Subject: generating a network map
>
>
> Hello there,
> I am looking for a software that can generate or
> reconstruct a network topology from raw data obtained
> from live network capturing or offline tcpdump capture
> files.
>
Sounds to me like you want to build a passive network
map, and avoid doing active network discovery that might
be picked off by your client's security team (this is
the pet-test list, after all).

> Also if theres any utility (preferably open source)
> than can generate a network map from nmap logs.
>

Wait, you just mentioned nmap logs. That's active
scanning. If you aren't worried about tipping off
anyone by using an active method, there are several
options (some of which have already been mentioned).

Here's a few ideas, with links:

Ipswitch WhatsUp Pro (topology from active network
discovery)
http://www.ipswitch.com/Products/WhatsUp/professional/
NOTE: 30-day trial available

Cheops (topology from active discovery)
http://www.marko.net/cheops/
NOTE: multiple issues identified by other posters

Etherape (topology from passive monitoring)
http://etherape.sourceforge.net/
NOTE: Good choice, but requires direct access to
monitor network. (Good luck getting a clandestine
TAP and Etherape box onto the network...)

If you don't mind building your topology yourself,
using the data you collected via pcap, they here's
a suggested methodology. It assumes that you've
collected a substantial amount of pcap from hosts
internal to the network.

Replay all the pcap files through p0f (get it at
http://lcamtuf.coredump.cx/p0f.shtml) to generate
a list of probably OS installs at the recorded IP
addresses.

Given that you'll now have a OS to IP map of the
network, you in essence have a non-visual network
topology. If pictures are important, you could
manually construct the network diagram or write a
PERL script to do it for you (as per the suggestion
from Nathan Einwechter). Sounds almost like a new
spin on Cheops...

> any help will be highly appreciated
>
I hope this does.

Alex Arndt
CISSP, GCIA, GCIH

"Within all order is the potential for chaos..."

• Next message: Javier Blanque: "Re: generating a network map"
• Previous message: Steve Goldsby (ICS): "RE: generating a network map"
• In reply to: Talha: "generating a network map"
• Next in thread: Javier Blanque: "Re: generating a network map"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:25 EDT