Passive Network Monitoring - lanmap2
lanmap2 is a passive network monitoring/analysis framework; no SNMP required.
It promiscuously listens to all passing data and sifts out potentially interesting factoids (addresses, names, fingerprints, unusual situations, etc.) into an sqlite database. scripts are provided to query the database and generate image graphs of network entities, overall connectivity, traffic and notable applications, operating systems and roles that systems play.
It is meant to be an extensible framework; anyone who spends time looking at network traffic and knows a little SQL should be able to contribute analysis-type ‘mappings’ (see data/*.sql) lanmap2’s components are decoupled from each other and are fairly straight-forward and flexible; you can report things to the database without having to use them and you can work on analysis-type tasks or scripts while network capture is running.
The current graphing scripts use php to query the database and generate input to graphviz; these can be modified fairly easily.
lanmap Installation
Everything is pretty much manual at this point
Passive Network Monitoring Dependencies:
ºsqlite3 and libsqlite3 (sqlite2 not acceptable!)
ºlibpcap
ºgcc
ºphp (to interface with db and generate graphviz input; plan on replacing with lua)
ºgraphviz (for graph generating)
sudo apt-get install libpcap-dev libsqlite3-dev gcc graphviz php5-cli php5-sqlite sqlite3
Run make
make
This will build and populate the database file ‘db/db’
And the parse/capture program ‘src/cap’
lanmap2 Use
1. Start capturing
cd db && sudo ../src/cap && cd -
The application has to run as root, which is a potential security hazard.
This currently produces prodigious amounts of output; sue me.
2. Generate a graph after letting the capture run for a while.
cd graph && ./graph.sh && cd -
This will generate a graph at graph/net.png
This runs a bunch of php scripts.
3. View the graph via the web/ crap
I suggest you map/symlink apache to the web/ directory if you are capable