Hi Group! On Fri, 26 Aug 2005 09:32:31 -0500 Graham Wilson <graham@xxxxxxxxx> wrote: > > > Is there a scanning tool out there that can determine if there are > > unauthorized Linksys (type) routers in a specific VLAN? I assume you have not port-locked your switches? Many managed Layer-2 switches can do that. Only allow 1-2 IP addresses per port and auto-shutdown those exceeding this limit. This way you have an automatic, continuously running monitoring (and self-punishment) of people connecting rogue switches/routers. Plus you know where (on which plug) to search for the system. Won't detect NAT-masquerading routers that have their external interface connected to LAN, though. A purely passive approach would be to use ARPWATCH and filter out all known MAC address headers. Easy if you have a homogenous network (e.g. all PCs are Dell), a PITB of you are a wild mishmash (open pool at university or LAN party). You even can run this from a CRON job. And if you're really, really thorough you could inventarize all your PCs (semi-automatically) and have an alert for each new MAC address that pop up. For a scan you could run arpwatch and then ping all hosts using nmap (assuming that your network is 192.168.1.*/24 in this example): # nmap -sP 192.168.1.0/24 Depending on your network architecture you might want to slow that down with # nmap -T polite -sP 192.168.1.0/24 Arpwatch will do the job of collecting all ARP addresses for you. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists@xxxxxxx PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
