Detection of Rogue Access Points

Phil Regnauld regnauld at nsrc.org
Thu Oct 18 20:21:57 UTC 2012


Raymond Burkholder (ray) writes:
> 
> NetDisco knows how to scan networks for mac addresses, arp addresses, ip
> addresses, etc.  It keeps track of deltas.  It may have be able to email
> deltas or something similar.    Or run a query against the database, as I
> seem to recall it seems to hold historical data.

	Yes, NetDisco will do this, and it has query interface for looking
	up MAC <-> associations, and where they were last seen.

	Netdot (netdot.uoregon.edu, just mentioned it in an earlier mail) also
	offers this functionality, and stores the information in the database for
	querying/searching.

Jonathan Rogers (quantumfoam) writes:
> I, uh...don't actually know how to do that. I've not done very much with
> SNMP other than working with power management devices. If someone could
> direct me to a good tutorial, that would be much appreciated.

	It's probably easier to use one of the tools mentioned than to start
	writing your own. To do that, you'd have to retrieve the L2 
	forwarding table from switches, and the ARP tables from L3 devices.
	You have to query all active devices regularly and build/update your DB
	from that. There are tools such as SNMP::Info
	http://search.cpan.org/~maxb/SNMP-Info-2.01 that make this easier,
	but still some amount of coding would be required.

	It's then a matter of querying the DB, and looking for the MAC addresses
	of suspected rogue devices, if they keep on showing up (you will see many
	one-times that don't reappear, which also grows the DB significantly over
	time).

	Phil



More information about the NANOG mailing list