Recommendations for network discovery?

I am about to undertake a task making sense of a client with 19 servers,
100+ desktops, 9 physical subnets and 3 locations. Under these
circumstances I think I should use the help of a network discovery and
mapping tool.

Can anyone recommend any that they have used that did a respectable job
and that they would definitely use again?

TIA for any advice!

On Sat, 26 Aug 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <VfXHg.3$(E-Mail Removed)>, bobmct wrote:

>I am about to undertake a task making sense of a client with 19 servers,
>100+ desktops, 9 physical subnets and 3 locations. Under these
>circumstances I think I should use the help of a network discovery and
>mapping tool.

The problem is a bit to generic. Where are you - on-site? At each site?
Elsewhere? What firewall is in use? How are the sites connected? How
paranoid was the guy who set it up in the first place? What O/S are they
running? What topology are they using - 10Base5, Token Ring, Gigabit
fiber? When you say "make sense of a client", what does that mean?

>Can anyone recommend any that they have used that did a respectable job
>and that they would definitely use again?

While nmap may be very useful (likewise tcpdump, tcptraceroute, hping2,
arping, and even netcat), one size does not fit all. Start with the
topology - 10Base[25], 10BaseT using hubs, or Token ring would allow use
of a packet sniffer to identify systems, and perhaps network layout. On
the other hand, fiber, or a switched topology would benefit most from
looking at the switch itself.

Old guy

Moe Trin wrote:

> On Sat, 26 Aug 2006, in the Usenet newsgroup comp.os.linux.networking, in
> article <VfXHg.3$(E-Mail Removed)>, bobmct wrote:
>
>>I am about to undertake a task making sense of a client with 19 servers,
>>100+ desktops, 9 physical subnets and 3 locations. Under these
>>circumstances I think I should use the help of a network discovery and
>>mapping tool.
>
> The problem is a bit to generic. Where are you - on-site? At each site?
> Elsewhere? What firewall is in use? How are the sites connected? How
> paranoid was the guy who set it up in the first place? What O/S are they
> running? What topology are they using - 10Base5, Token Ring, Gigabit
> fiber? When you say "make sense of a client", what does that mean?
>
>>Can anyone recommend any that they have used that did a respectable job
>>and that they would definitely use again?
>
> While nmap may be very useful (likewise tcpdump, tcptraceroute, hping2,
> arping, and even netcat), one size does not fit all. Start with the
> topology - 10Base[25], 10BaseT using hubs, or Token ring would allow use
> of a packet sniffer to identify systems, and perhaps network layout. On
> the other hand, fiber, or a switched topology would benefit most from
> looking at the switch itself.
>
> Old guy

Thanks Moe (Old guy) Trin;

This discovery will be run from within the network and then from any other
point deemed necessary. ALL the servers are some flavor of Linux and most
desktops use LTSP. There are only a handful of diehard XP desktop/notebook
users to be considered. Firewall is iptables run on the main linux router
box.

What I was hoping/looking for was a tool similar to those available in the
Windoze world that do a pretty good job of finding everything and trying to
determine what it found and not only creating a detailed list but also has
the ability to create graphic diagrams, etc.

I am not opposed to using an XP laptop with such a utility running connected
temporarily to the network but I would prefer a non-win solution.

Does this help you understand what I am trying to accomplish a little
better?

Bob

On Sat, 26 Aug 2006 08:40:21 -0400, bobmct wrote:

> I am about to undertake a task making sense of a client with 19 servers,
> 100+ desktops, 9 physical subnets and 3 locations. Under these
> circumstances I think I should use the help of a network discovery and
> mapping tool.
>
> Can anyone recommend any that they have used that did a respectable job
> and that they would definitely use again?
>
> TIA for any advice!

Appart from utilities such as the ones Moe Trin sugested:

OpenNMS http://www.howtoforge.com/opennms_network_management
EtherApe http://etherape.sourceforge.net/

-Menno.

On Sat, 26 Aug 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <I57Ig.4$(E-Mail Removed)>, bobmct wrote:

>This discovery will be run from within the network and then from any other
>point deemed necessary. ALL the servers are some flavor of Linux and most
>desktops use LTSP.

OK - I'm not using LTSP, so my answers are a bit on the simple side. First
step I'd do is to log into each server, and run a few commands:

/bin/uname -a
/bin/cat /etc/*release /etc/*version
/sbin/ifconfig -a
/sbin/route -n
/sbin/iptables -L
/bin/cat /etc/hosts.allow
/bin/cat /etc/hosts.deny (which needs only one line saying "ALL: ALL")
/bin/netstat -tupan

If the systems are using DNS (/etc/resolv.conf), see what the domain files
are on the name server. If running NIS, look at the NIS host files. I'd
look _VERY_ closely at the boot servers (BOOTP and tftp) are doing (dynamic
host configuration has always been a security risk, and TFTP isn't much
better). Depending on which super server (inetd or xinetd) the server is
running, I'd next investigate that.

>There are only a handful of diehard XP desktop/notebook users to be
>considered.

As the Queen of Hearts says "Off with their heads!!!"

I haven't had to worry about windoze since the early 1990s, but a good
nmap scan of these boxes might be helpful. A possible problem is these
boxes running some form of "personal firewall" - whether the one that
comes with XP, or one of the dozens of others that exist out there. The
problem is that an nmap scan may trigger the firewall into a "block
everything from that IP address that is ATTACKING me!!!" mode.

>Firewall is iptables run on the main linux router box.

Make sure (the /sbin/iptables -L command) that the individual servers are
not running a firewall as well. I _would_ expect this if the original
installer had his head out of where-ever, and that could confuse things.

>What I was hoping/looking for was a tool similar to those available in the
>Windoze world that do a pretty good job of finding everything and trying to
>determine what it found and not only creating a detailed list but also has
>the ability to create graphic diagrams, etc.

nmap should do that, but I'm not into the graphical stuff.

As regards the desktops (depending on the paranoia level), I'd do a physical
inspection to see that the devices are indeed lacking removable media
capability (no floppy/CD/USB), and that they are lacking a hard drive.
_IF_ that's the case, they can't do that much, as everything is done on the
compute servers, and the desktops are little more than a keyboard and
display. A very aggressive and full nmap scan of the desktop addresses
_should_ show nothing open. If there _is_ a hard drive (why), what's on
it? If there is removable media devices (again, why) things get a bit more
complicated.

>I am not opposed to using an XP laptop with such a utility running connected
>temporarily to the network but I would prefer a non-win solution.

Use what you are comfortable with. I'd prefer actually looking at the
hardware and reading the configuration files, as this uncovers a lot more.
An example - no matter what network scanning tool you use, it is HIGHLY
unlikely that you'd find the SSH server running on this box. That's because
it's not running on the default port, and you need to "knock" at a specific
closed port and then connect to the (otherwise closed) port where the
server is hiding within 60 seconds from the same IP address. To avoid scans,
there are trip-ports located on either side of the server port, and if you
manage to hit the knock port, and accidentally hit one of the trip ports,
the server port closes. Thus, without knowing the "right" sequence of
ports to stroke (and being closed, all they send is a RST), the scanner
can't even _find_ the server, though looking at the script that starts
the firewall would give strong hints to a knowledgeable person to investigate
a lot further. (To those who might bleat "security through obscurity", note
that I didn't discuss the authentication mechanisms needed once you _find_
the server port.)

On the other hand, don't ignore the network scan, lest you miss some box
setting in the closet, or under someone's desk that everyone has forgotten.
Using tcpdump on a host at each local network segment, look at the MAC
addresses seen. Can you account for every one of those?

Old guy

Moe Trin wrote:

>
> On the other hand, don't ignore the network scan, lest you miss some box
> setting in the closet, or under someone's desk that everyone has
> forgotten. Using tcpdump on a host at each local network segment, look at
> the MAC addresses seen. Can you account for every one of those?
>
> Old guy

Thanks for your help and advice Moe. Help like yours is greatly
appreciated.

Bob (another Old Guy)