nanog mailing list archives

Re: Detection of Rogue Access Points

From: Jonathan Rogers <quantumfoam () gmail com>
Date: Thu, 18 Oct 2012 17:43:55 -0400

Nevermind, it appears SNMP is turned off on our routers and I do not have
control over that. I can at least present this as a possible option to the
person that does. Thank you very much for your suggestions, everyone. I'm
so glad I joined this list; I've learned so much and it's great to talk to
people who like to share their knowledge and experience.

--JR

On Thu, Oct 18, 2012 at 4:21 PM, Phil Regnauld <regnauld () nsrc org> wrote:

Raymond Burkholder (ray) writes:


NetDisco knows how to scan networks for mac addresses, arp addresses, ip
addresses, etc.  It keeps track of deltas.  It may have be able to email
deltas or something similar.    Or run a query against the database, as I
seem to recall it seems to hold historical data.


        Yes, NetDisco will do this, and it has query interface for looking
        up MAC <-> associations, and where they were last seen.

        Netdot (netdot.uoregon.edu, just mentioned it in an earlier mail)
also
        offers this functionality, and stores the information in the
database for
        querying/searching.

Jonathan Rogers (quantumfoam) writes:

I, uh...don't actually know how to do that. I've not done very much with
SNMP other than working with power management devices. If someone could
direct me to a good tutorial, that would be much appreciated.


        It's probably easier to use one of the tools mentioned than to
start
        writing your own. To do that, you'd have to retrieve the L2
        forwarding table from switches, and the ARP tables from L3 devices.
        You have to query all active devices regularly and build/update
your DB
        from that. There are tools such as SNMP::Info
        http://search.cpan.org/~maxb/SNMP-Info-2.01 that make this easier,
        but still some amount of coding would be required.

        It's then a matter of querying the DB, and looking for the MAC
addresses
        of suspected rogue devices, if they keep on showing up (you will
see many
        one-times that don't reappear, which also grows the DB
significantly over
        time).

        Phil

Current thread:

Re: Detection of Rogue Access Points, (continued)
- - Re: Detection of Rogue Access Points Jimmy Hess (Oct 16)
- Re: Detection of Rogue Access Points Roy (Oct 14)
- Re: Detection of Rogue Access Points Jon Sevier (Oct 14)
- Re: Detection of Rogue Access Points Peter Phaal (Oct 14)
- Re: Detection of Rogue Access Points Martin Hepworth (Oct 14)
- Re: Detection of Rogue Access Points John Kristoff (Oct 17)
- Re: Detection of Rogue Access Points Jason Antman (Oct 18)
  - Re: Detection of Rogue Access Points Jonathan Rogers (Oct 18)
    - RE: Detection of Rogue Access Points Raymond Burkholder (Oct 18)
    - Re: Detection of Rogue Access Points Phil Regnauld (Oct 18)
    - Re: Detection of Rogue Access Points Jonathan Rogers (Oct 18)
    - Re: Detection of Rogue Access Points Joe Hamelin (Oct 18)
    - Re: Detection of Rogue Access Points Chris Boot (Oct 20)
    - Re: Detection of Rogue Access Points Jonathan Rogers (Oct 18)
    - Re: Detection of Rogue Access Points james machado (Oct 18)