ArpWatch should perform all of these requirements successfully. It is a program that is built in to RedHat and is very configurable. You should be able to download it at www.redhat.com or www.rpmfind.net. -Andrew Andrew H. Turner <[EMAIL PROTECTED]> 703.284.4771 Pager: 877.580.7432 BBN Technologies, a Verizon company 1300 N. 17th Street, Suite 1200 Arlington, Virginia 22209 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 09, 2001 9:02 PM To: Crawford, Randy Cc: [EMAIL PROTECTED] Subject: Re: Detecting New Connections to the Network On Thu, Sep 06, 2001 at 05:21:32PM -0500, Crawford, Randy wrote: > With respect to disparate devices/platforms spread out over 13,000 nodes, > 700 switches, and 40 routers (Alcatel gear), what's the best way to attempt > an inventory of active MAC addresses and determining new connections to the > network? We're being told that the Network Management tool (OmniVista) > can't do this. Additionally, we're being told that this can't be done > period, there are no available tools, and that no one of similar size and > complexity can do this. At the end of the day we simply want to inventory > what nodes/ports should be active and what device should be behind the > connection in order to detect new and/or unauthorized devices/connections. > All recommendations appreciated! During the day, I'm the Cyber Security Operations Manager for .gov site. I wrote a little tool about a year ago that does just what you need, mostly. I grab the ARP tables from all the routers every 10 minutes, parse the output, and compare them to a mysql database that holds all the MAC/IP combos, and then emails us if either the MAC/IP combo changes (which happens with DHCP), or any new IPs. This only works if the machine is chattering on the network, and hits a router, though. This is what we see when we get a new machine: Subject: [Netmon] : 1 New Machine(s) Detected!^M From: Network Monitor Account <[EMAIL PROTECTED]>^M Date: Sun, 09 Sep 2001 15:01:46 -0400^M 0010.a391.d545 xxx.xxx.xxx.246 dh06.xxx.xxx.xxx NIC=XIRCOM This is a changed MAC/IP pair Subject: [Netmon] : 1 IP Change(s)^M From: Network Monitor Account <[EMAIL PROTECTED]>^M Date: Sun, 09 Sep 2001 15:31:56 -0400^M MAC Address: New IP: Name: ------------ ------- ----- 0000.c4eb.45de xxx.xxx.xxx.241 dh01.xxx.xxx.xxx (old: +xxx.xxx.xxx.214 dh37.xxx.xxx.xxx) There are some problems, like multi-homed machines, non-IP based machines, etc, but it works well so far. We log the current stuff in the database, and require that the new machines visit a web page within 30 minutes of plugging into the network, and we turn them off if the new or modified record is not flagged as registered. Tim -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED][EMAIL PROTECTED] >< (631) 924-3728 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
