Detection of Rogue Access Points

Jonathan Rogers quantumfoam at gmail.com
Thu Oct 18 21:43:55 UTC 2012


Nevermind, it appears SNMP is turned off on our routers and I do not have
control over that. I can at least present this as a possible option to the
person that does. Thank you very much for your suggestions, everyone. I'm
so glad I joined this list; I've learned so much and it's great to talk to
people who like to share their knowledge and experience.

--JR

On Thu, Oct 18, 2012 at 4:21 PM, Phil Regnauld <regnauld at nsrc.org> wrote:

> Raymond Burkholder (ray) writes:
> >
> > NetDisco knows how to scan networks for mac addresses, arp addresses, ip
> > addresses, etc.  It keeps track of deltas.  It may have be able to email
> > deltas or something similar.    Or run a query against the database, as I
> > seem to recall it seems to hold historical data.
>
>         Yes, NetDisco will do this, and it has query interface for looking
>         up MAC <-> associations, and where they were last seen.
>
>         Netdot (netdot.uoregon.edu, just mentioned it in an earlier mail)
> also
>         offers this functionality, and stores the information in the
> database for
>         querying/searching.
>
> Jonathan Rogers (quantumfoam) writes:
> > I, uh...don't actually know how to do that. I've not done very much with
> > SNMP other than working with power management devices. If someone could
> > direct me to a good tutorial, that would be much appreciated.
>
>         It's probably easier to use one of the tools mentioned than to
> start
>         writing your own. To do that, you'd have to retrieve the L2
>         forwarding table from switches, and the ARP tables from L3 devices.
>         You have to query all active devices regularly and build/update
> your DB
>         from that. There are tools such as SNMP::Info
>         http://search.cpan.org/~maxb/SNMP-Info-2.01 that make this easier,
>         but still some amount of coding would be required.
>
>         It's then a matter of querying the DB, and looking for the MAC
> addresses
>         of suspected rogue devices, if they keep on showing up (you will
> see many
>         one-times that don't reappear, which also grows the DB
> significantly over
>         time).
>
>         Phil
>


More information about the NANOG mailing list