Re: Scan for "outsider" Pcs on network

On Fri, Mar 17, 2006 at 02:41:10PM -0800, Kurt Buff wrote:
On 2 Mar 2006 23:47:59 -0000, dhamm@xxxxxxxxxxxxxxxxxx
<dhamm@xxxxxxxxxxxxxxxxxx> wrote:
Is there a way to setup a scan and be notified of an
intruding pc that is physically plugged into the network?

Just one suggestion:

Write a script that visits all of your switches/routers and gets their
tables of pairs of ports and MAC addresses, then dump them into a
database. Schedule it to do this periodically, say every 5-10 minutes.
Kind of a roll-your-own distributed arpwatch, but it's what I'm doing
by hand for our 6 48-port Cisco switches. Unfortunately, I don't have
the scripting knowledge (Expect? PERL? Something else? SNMP, telnet or
maybe some other query method?) to do this, though I know people have
done it.

And, of course, the obligatory plea to share if you have such a script.


Just to mention : netdisco

Netdisco is an Open Source web-based network management tool.

Designed for moderate to large networks, configuration information and
connection data for network devices are retrieved by SNMP. With Netdisco
you can locate the switch port of an end-user system by IP or MAC address.
Data is stored using a SQL database for scalability and speed.
Cisco Discovery Protocol (CDP) optionally provides automatic discovery of
the network topology. The network is inventoried by both device model and
operating system (like IOS). Netdisco uses router ARP tables and L2 switch
MAC forwarding tables to locate nodes on physical ports and track them by
their IP addresses. For each node, a time stamped history of the ports it
has visited and the IP addresses it has used is maintained. Netdisco gets
all its data, including CDP topology information, with SNMP polls and DNS
queries. It does not use CLI access and has no need for privilege
passwords. Security features include a wire-side Wireless Access Point (AP)

Best regards.

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.