1 Term Project on Network Discovery EE673 Digital Communication Networks Submitted by Amrita Mishra (11104163) Shaji M (11104096) Silpa K S (12104079) Yadunath K (12104093)
1
Term Project on
Network Discovery
EE673
Digital Communication Networks
Submitted by
Amrita Mishra (11104163)
Shaji M (11104096)
Silpa K S (12104079)
Yadunath K (12104093)
2
Contents
Page No.
List of Figures 3
Chapter 1: Introduction 4
Chapter 2: Problem Statement and Scope of the project 7
Chapter 3: Introduction to Nmap 9
Chapter 4: Scans used for performing Network Discovery 13
Chapter 5: Implementation and Results 14
Chapter 6: Conclusion 23
References 24
3
List of Figures
Page No.
Fig 1:Zenmap showing Host is up with MAC address 15
Fig 2:Corresponding Topology 16
Fig 3:Zenmap showing Host is down 16
Fig 4: Zenmap showing what hosts are up in a subnet 17
Fig 5: Zenmap showing the OS details of a host 18
Fig 6: Zenmap showing topology of the subnet 19
Fig 7: Zenmap showing the local host connected to remote 20
host via router
Fig 8: Zenmap showing the local host connected to remote 20
host via gateway router
Fig 9: Text file showing the results of a scan with details 22
of port, OS running on the device etc
Fig 10: Corresponding Inventory of the above scan 22
4
1. INTRODUCTION
The 21st century is the era of the Internet, featured by rapid development and application
of computer network technology. Security issues also present themselves accompanying the
emergence of computer networks. Therefore, it seems that much more effort should be made
to enhance security and precaution on computer network while conducting network application.
One of the strongest motivations for Network Discovery is to secure internet for which one has
to first identify the devices connected to the network and topology of network. This is done by
network topology and discovery.
What is Network Discovery?
Network Discovery, also known and Network Visibility and Network Mapping, is a
method to identify and inspect network address space, network assets, services and connections.
Network Discovery increases awareness of the state of the network thus reducing risk and
supporting network security. It thus helps in improving operational metrics of the network.
What is Network Topology?
Network topology is the study of the arrangement of links and nodes in a network and the
interconnections among the nodes. It is basically a map of the network in which various network
devices are interconnected and communicate with each other. The interconnection among
devices can be based classified into any of the network topologies.
Physical network topology, where peers are connected to ports on devices via a physical
transmission link
Logical network topology, in which a network is divided into logical segments through
subnets.
A physical topology correspondsto many logical topologies, each at a different level of
abstraction. For example, at the IP level, peers are hosts or routers one IP hop from each other,
and at the workgroup level, the peers are workgroups connected by a logical link.
What is the main motivation for Network Discovery?
Network topology constantly changes as new nodes and links join a network, some links
and nodes die or become inactive and network capacity is increased to deal with added traffic. So
the discovery and management of such dynamic networks has become a serious matter of
concern.
5
What is the challenge we face during Network Discovery?
Since the topology of networks always keeps changing, the key issue of topology
discovery is how to effectively and efficiently perform the discovery task with minimal impact to
normal network traffic.
Why do we require the topology information of networks?
Simulation: To simulate real networks
Network Management: Network topology information is useful in deciding whether to
add new routers and to figure out whether current hardware is configured correctly. It
also allows network managers to find bottlenecks and failures in the network.
Siting: A network map helps users determine where they are in the network so they can
decide where to site servers, and which ISP to join to minimize latency and maximize
available bandwidth.
Utilities of Network Discovery
Useful in studying the characteristics, behavior and protocols of networks.
Configuration Management: Networks are continually adjusted when devices are
added, removed, reconfigured, or updated. These changes may be intentional, such as
adding a new server to the network etc. The process of configuration management
involves identifying the network components and their connections, collecting each
device's configuration information, and defining the relationship between network
components. In order to perform these tasks, the network manager needs topological
information about the network, device configuration information, and control of the
network componentprovided by network discovery.
Smooth operation of networks with increasing traffic:The harmonious operation of
the various networking devices in a LAN requires correct and valid configuration of the
protocols and applications that are enabled in these devices. As the numbers and type of
devices enabled in a LAN steadily increase, it is difficult for a network manager or IT
manager to statically monitor and configure each device on a network. At the same time,
it takes IT managers a significant amount of time to find and rectify configuration
problems.Network Discovery or Network Management provides solution to this kind of
problem. Using Network Discovery,the administrator can manage all the devices in the
network.
6
Network management: It refers to the broad subject of managing computer networks.
There exists a wide variety of software and hardware products that help network system
administrators manage a network The network management is the collection of tasks
performed to maximize availability, performance, security and control of a network and
its resources. Without powerful and automated network discovery your network
management capabilities cannot scale, be accurate or efficient.
Maintaining an up-to-date picture of the network:Network discovery is a diagnostic
tool because of its inherent ability to discover and maintain accurate and up-to-date
network topologies. The information exposes network mapping, inventory data and
network troubleshooting information that may otherwise be unavailable. Network
administrators can use this information to identify outdated hardware and software, speed
and duplex mismatches and improperly configured devices. For example, using reports,
network discovery can be used to locate ports that are no longer active. This will
determine endpoint devices that have gone out of service. All this things makes the life of
a network administrator easier.
7
2. PROBLEM STATEMENT AND SCOPE OF THE PROJECT
PROBLEM STATEMENT
To find
1. The internetworking devices active/inactive in the network.
2. The OS detection and application running in the remote hosts.
3. Topology generation of the network.
4. To create a usable inventory out of the scan.
Internetworking devices
An internetworking device is a widely-used term for any hardware within networks that connect
different network resources. Key devices that comprise a network are routers, bridges, repeaters
and gateways.
Routers are highly intelligent network devices that are primarily used for large networks and
provide the best data path for effective communication. Routers have memory chips which store
large quantities of network addresses.
Bridges are used to connect two large networks by providing different network services.
Repeaters are used for signal and data regeneration and are primarily responsible for data
amplification.
Gateways are internetworking devices used to convert formats and are the backbone of any
network architecture.
Network discovery can be done in two ways.
IP based device discovery
Non-IP based device discovery
IP based device discovery
Identify devices such as routers, gateways, nodes.
These devices can be identified by their unique IP address.
How do we perform IP based device discovery?
We have made use of the software called Nmap along with its GUI frontend
Zenmap(elaborately discussed later). This software takes IP address range as an input
and replies with their current status (active/inactive). Thus we can identify the active
devices in the network. This software also provides information about how the devices
8
are connected with each other thus enabling us to deduce the topology of the network. If
we are not
Address Resolution Protocol (ARP) is used to find out the MAC address of a device in
your Local Area Network (LAN), for the corresponding IP address, which network
application is trying to communicate. In this way if device is active, it will reply back
with its MAC address but if device is not active ,we won‘t get any reply. The command
which will display the ARP table of current subnet is arp –a. This results with the IP
addresses with the corresponding physical address (MAC address).
Internet Control Message Protocol (ICMP-normally called as ping): Ping is a
computer network administration utility used to test the reach ability of a host on an
Internet Protocol (IP) network and to measure the round-trip time for messages sent from
the originating host to a destination computer. ICMP (Internet Control Message Protocol)
is a message control and error-reporting protocol between a host server and a gateway to
the Internet. ICMP uses Internet Protocol (IP) datagram, but the messages are processed
by the IP software and are not directly apparent to the application user. This is known as
“Layer 3 Discovery” or “Network Layer Discovery”.
Non-IP based device discovery
The devices like switches, hubs, repeaters which do not have the IP address cannot be
identified with the ARP.
We can identify the devices which does not contain any IP address with the help of Open
Source Protocol First (OSPF). This is sometimes known as ―Link Layer Discovery‖ (Layer two
discovery).
SCOPE OF THE PROJECT
We have performed Network Layer Discovery for the IITK private network and the
results obtained are furnished as a part of the project.
9
3. INTRODUCTION TO NMAP
SOFTWARE USED
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon used to
discover hosts and services on a computer network, thus creating a "map" of the network. Many
systems and network administrators also find it useful for tasks such as network inventory,
managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP
packets in novel ways to determine what hosts are available on the network, what services
(application name and version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in use, and dozens of other
characteristics.
Unlike many simple port scanners that just send packets at a predefined constant rate, Nmap
accounts for the network conditions (latency fluctuations, network congestion,the target
interference with the scan) during the run. Nmap runs on Linux, Microsoft Windows, Solaris,
HP-UX and BSD variants (including Mac OS X), and also on AmigaOS and SGI IRIX. Linux is
the most popular Nmap platform with Windows following it closely.
Features of Nmap
Nmap features include:
Host discovery - Identifying hosts on a network. For example, listing the hosts which
respond to pings or have a particular port open.
Port scanning - Enumerating the open ports on one or more target hosts.
Version detection - Interrogating listening network services listening on remote devices
to determine the application name and version number.
OS detection - Remotely determining the operating system and hardware characteristics
of network devices.
In addition to these, Nmap can provide further information on targets, including reverse DNS
names, device types, and MAC addresses.
Basic commands working in Nmap
For target specifications:
nmap <targets' URL's or IP's with spaces between them (can also use
CIDR notation)>
e.g. : scanme.nmap.org, gnu.org/24, 192.168.0.1; 10.0.0-255.1-254
10
Host discovery:
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
Scan techniques:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sO: IP protocol scan
Port specification and scan order:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
Service/version detection:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all
probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
OS detection:
-O: Enable OS detection
Timing and performance:
Options which take <time> are in seconds, or append 'ms'
(milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the
value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>:
Specifies probe round trip time.
11
--max-retries <tries>: Caps number of port scan probe
retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
Firewall/ids evasion and spoofing:
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
Output:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output
files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to
HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
Misc:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and
traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
12
Reporting results
The output from Nmap is a list of scanned targets, with supplemental information on each
depending on the options used. Key among that information is the ―interesting ports table‖. That
table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for
connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is
blocking the port, so that Nmap cannot tell whether it is open or closed. Closed ports have no
application listening on them, though they could open up at any time.
Nmap provides four possible output formats for the scan results. All but the interactive output is
saved to a file. All of the output formats in Nmap can be easily manipulated by text processing
software, enabling the user to create customized reports.
Interactive -presented and updated real time when a user runs the Nmap from the
command line. Various options can be entered during the scan to facilitate monitoring.
XML -a format that can be further processed by XML capable tools. It can be converted
into a HTML report using XSLT.
Grepable -output that is tailored to line-oriented processing tools such as grep, sed or
awk.
Normal -the output as seen while running Nmap from the command line, but saved to a
file.
Script kiddie -meant to be the funny way to format the interactive output replacing letters
with their visually alike number representations. For example, Interesting ports becomes
Int3rest|ng p0rtz.
In addition to the interesting ports table, Nmap can provide further information on targets,
including reverse DNS names, operating system guesses, device types, and MAC addresses.
Zenmap – GUI for Nmap
Zenmap is the official Nmap Security Scanner GUI. Frequently used scans can be saved as
profiles to make them easy to run repeatedly. A command creator allows interactive creation of
Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be
compared with one another to see how they differ. The results of recent scans are stored in a
searchable database
13
4. SCANS USED FOR PERFORMING NETWORK DISCOVERY
1. To find the internetworking devices active/inactive in the network.
Input:
a)To find the current status of the remote host give the IP address as the input.
For example: 172.24.40.18 Mode: Regular Scan
b)To find the current status of the devices in the subnet specify the subnet mask address along
with the ip address.
For example: 172.24.40.18/28
2. To find OS and application running in the remote hosts.
Input:
To perform this we specify ‗Intense Scan‘ mode in the tool along with the remote host‘s IP.
For example: 172.24.40.18 Mode: Intense Scan
3. Topology generation of the network.
Input:
To perform this we specify ‗Ping Scan/Quick Scan‘ mode in the tool along with the subnet ip.
For example: 172.24.40.18/28 Mode: Ping Scan
14
5. IMPLEMENTATION AND RESULTS
Network Discovery is meant not only for finding computers and operating systems, but also for
finding network devices such as printers, routers, and bridges. Network Discovery procedure
can be used to find any device on your network that has an IP address.
1. Ping/Broadcast Ping
The ping tool accurately indicates whether the pinged machine is on the Internet or not
(actually, since ping packets can get lost, we always ping an address twice, deeming it
unreachable only if both do not elicit a reply). With suitably small packets, ping also has a low
overhead. Pings to live hosts succeed within a single round-trip time, which is a few tens of
milliseconds, so the tool is fast. Pings to dead or non-existent hosts, however, timeout after a
conservative interval of 20 seconds, so pings to such hosts are expensive.
`Directed broadcast ping‘ refers to a ping packet addressed to an entire subnet rather than just
one machine. This can be done by addressing either the ‗255‘ or the ‗0‘ node in the subnet (e.g.
to broadcast to all nodes in the 128.84.155 subnet, ping 128.84.155.0 or ping 128.84.155.255—
more generally, these two addresses corresponding to extending the subnet address either with all
0s or all 1s). A broadcast ping is received by all hosts in the subnet, each of which is supposed to
reply to originator of the ping. This is useful in finding all the machines in a subnet. Ping
broadcast however is not supported fully in all networks. In some networks, only the router
responsible for that subnet responds to the broadcast ping (we refer to this as the weak
pingbroadcast assumption). In certain networks, broadcast ping is not even responded to at all.
2. Trace route
Trace route discovers the route between a probe point and a destination host by sending
packets with progressively increasing TTLs. Routers along the path, on seeing a packet with a
zero TTL, send ICMP TTLexpired replies to the sender, which tallies these to discover the path.
Trace route is usually accurate because all Internet routers are required to send the TTL-expired
ICMP message. However, some ISPs are known to hide their routers from trace route by
manipulating these replies to collapse their internal topology.
This reduces both the accuracy and the completeness of topologies discovered using trace
route. Trace route sends two probes to every router along the path, so it generates considerably
more overhead than ping. Since probes to consecutive routers are spaced apart to minimize the
instantaneous network load, the time to complete a trace route is also much longer than a ping.
15
Problem Statement 1
To find the internetworking devices active/inactive in the network
Implementation
This involves layer 3 discovery which is implemented using Network Scanner or
NMAP/Zenmap Network Management tools. This involves the ICMP protocol which commonly
generates the ‗ping‘ or ‗traceroute‘ commands to query the remote host‘s status.
Those devices which are currently ‗up‘ will be termed as active in the network whereas
those which are ‗down‘ are termed as inactive. To find out the status of the remote host using IP
address only we use Zenmap tool. This will generate an output which is shown as follows:
Fig1.Zenmap showing Host is up with MAC address
17
Zenmap can be used to find out the status of various remote hosts in the subnet or more generally
in a network which include routers also. For this we have to specify one IP address along with its
mask address which will provide an output corresponding to which all the nodes in the network
are checked about their current status. The results for this scan is as shown below:
Fig 4. Zenmap showing what hosts are up in a subnet
Problem Statement 2
The OS detection and application running in the remote hosts.
18
Implementation
To find out what applications remote host is running mainly nmap command is used in
the Command window/Terminal whose output is not clearly understood by the user. To make it
more user-friendly we are using the Zenmap Tool. It takes the IP address of the remote host as a
input and will generate the output which shows what OS and what application are running in
Intense Scan Mode. An example of this is shown below:
Fig 5: Zenmap showing the OS details of the host
19
Problem Statement 3
Topology generation of the network.
Implementation
To find out the connectivity to the remote host we are using the solution to Problem
Statement 1.This back-end output of above can be converted into front-end graphical output
using Zenmap tool only. We can generate the graphical topology showing that how the nodes are
interconnected in a subnet or more generally in a network.
Fig 6. Zenmap showing topology of the subnet
From the above figure, we observe that host is only one hop away from the destination. Thus
there is no device working as a router. Now if remote host is located outside the subnet, a router is
required to connect to it. It also points out what is the Latency between local host and target node.
So delay is the cost metric. So to access such node we are going via router and it is shown in
following figure:
20
Fig 7.Zenmap showing the local host connected to remote host via router
A gateway router is required when an internal host is to be connected to a remote host in an outer
network. Hence, they are internetworking devices. The following topology diagram shows how
the gateway router is connecting between hosts in two different networks:
Fig 8. Zenmap showing the local host connected to remote host via a gateway router
21
Problem Statement 4
To create a usable inventory out of the Nmap scan
Implementation
A portable format is likely needed. Comma-separated values (CSV) are ideal, as this format can
be loaded easily into spreadsheet and database programs.
The inventory created by nmap is a network-based inventory. The inventory created provides
information that is critical to system, application and protocol management, such as a system's IP
address, its operating system and the applications that it is running on network ports.
Nmap supports the output parameter (-o) to influence how it should write data to standard out.
By using it combined with G (-oG), nmap will create output that grep can work easily with,
which makes our inventory creation much easier.
Using operating system identification and the ―grepable‖ output formatting, the following
command can be used to run the raw reports and output the report to report.txt:
nmap -O -oG report.txt 172.24.1.0/24
grep "OS:" report.txt | sed 's/Host: //' | sed 's/Ports.*OS://' | sed 's/Seq.*$//' | sed 's/(//' | sed 's/)//' |
awk '{print "\"" $1 "\",\""$2"\"," $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " "
$12 " " $13 " " $14 "\""}' >report.csv
pipes the nmap output contained in the .txt file to awk to add quotes and commas for the CSV
file.
A snapshot of the text and tabular format generated using the above command at the terminal
window is given below:
22
Fig 9. Text file showing the results of a scan with details of port, OS running on the device etc
Fig 10. Corresponding Inventory of the above scan
23
6.CONCLUSION
A thorough survey of the IITK private network was performed using Nmap and interconnection
between the various IP layer nodes was observed through their topology. As expected, the
remote hosts within the subnet were reachable from the local host in 1 hop whereas outside the
subnet it takes more than 1 hop. Knowledge of the OS and services running on the remote hosts
gave a thorough understanding of the discovered devices.
Proposed future developments in the field of Network Discovery:
Reducing the delay in discovery of devices.
Checking correctness of discovered data for guaranteed result (verification of network
discovery)
History of changes in network topology would be also helpful to analyze the occurrence of
failures or unintentional behavior
Network Discovery in wireless networks as they pose harsh, uncertain, and dynamic
environments, along with energy and bandwidth constraints.
24
REFERENCES
1. www.nmap.org
2. www.technet.microsoft.com
3. www.wikipedia.org
4. Nmap Network Scanning by Gordon ―Fyodor‖ Lyon