1

Term Project on

Network Discovery

EE673

Digital Communication Networks

Submitted by

Amrita Mishra (11104163)

Shaji M (11104096)

Silpa K S (12104079)

Yadunath K (12104093)

2

Contents

Page No.

List of Figures 3

Chapter 1: Introduction 4

Chapter 2: Problem Statement and Scope of the project 7

Chapter 3: Introduction to Nmap 9

Chapter 4: Scans used for performing Network Discovery 13

Chapter 5: Implementation and Results 14

Chapter 6: Conclusion 23

References 24

3

List of Figures

Page No.

Fig 1:Zenmap showing Host is up with MAC address 15

Fig 2:Corresponding Topology 16

Fig 3:Zenmap showing Host is down 16

Fig 4: Zenmap showing what hosts are up in a subnet 17

Fig 5: Zenmap showing the OS details of a host 18

Fig 6: Zenmap showing topology of the subnet 19

Fig 7: Zenmap showing the local host connected to remote 20

host via router

Fig 8: Zenmap showing the local host connected to remote 20

host via gateway router

Fig 9: Text file showing the results of a scan with details 22

of port, OS running on the device etc

Fig 10: Corresponding Inventory of the above scan 22

4

1. INTRODUCTION

The 21st century is the era of the Internet, featured by rapid development and application

of computer network technology. Security issues also present themselves accompanying the

emergence of computer networks. Therefore, it seems that much more effort should be made

to enhance security and precaution on computer network while conducting network application.

One of the strongest motivations for Network Discovery is to secure internet for which one has

to first identify the devices connected to the network and topology of network. This is done by

network topology and discovery.

What is Network Discovery?

Network Discovery, also known and Network Visibility and Network Mapping, is a

method to identify and inspect network address space, network assets, services and connections.

Network Discovery increases awareness of the state of the network thus reducing risk and

supporting network security. It thus helps in improving operational metrics of the network.

What is Network Topology?

Network topology is the study of the arrangement of links and nodes in a network and the

interconnections among the nodes. It is basically a map of the network in which various network

devices are interconnected and communicate with each other. The interconnection among

devices can be based classified into any of the network topologies.

Physical network topology, where peers are connected to ports on devices via a physical

transmission link

Logical network topology, in which a network is divided into logical segments through

subnets.

A physical topology correspondsto many logical topologies, each at a different level of

abstraction. For example, at the IP level, peers are hosts or routers one IP hop from each other,

and at the workgroup level, the peers are workgroups connected by a logical link.

What is the main motivation for Network Discovery?

Network topology constantly changes as new nodes and links join a network, some links

and nodes die or become inactive and network capacity is increased to deal with added traffic. So

the discovery and management of such dynamic networks has become a serious matter of

concern.

5

What is the challenge we face during Network Discovery?

Since the topology of networks always keeps changing, the key issue of topology

discovery is how to effectively and efficiently perform the discovery task with minimal impact to

normal network traffic.

Why do we require the topology information of networks?

Simulation: To simulate real networks

Network Management: Network topology information is useful in deciding whether to

add new routers and to figure out whether current hardware is configured correctly. It

also allows network managers to find bottlenecks and failures in the network.

Siting: A network map helps users determine where they are in the network so they can

decide where to site servers, and which ISP to join to minimize latency and maximize

available bandwidth.

Utilities of Network Discovery

Useful in studying the characteristics, behavior and protocols of networks.

Configuration Management: Networks are continually adjusted when devices are

added, removed, reconfigured, or updated. These changes may be intentional, such as

adding a new server to the network etc. The process of configuration management

involves identifying the network components and their connections, collecting each

device's configuration information, and defining the relationship between network

components. In order to perform these tasks, the network manager needs topological

information about the network, device configuration information, and control of the

network componentprovided by network discovery.

Smooth operation of networks with increasing traffic:The harmonious operation of

the various networking devices in a LAN requires correct and valid configuration of the

protocols and applications that are enabled in these devices. As the numbers and type of

devices enabled in a LAN steadily increase, it is difficult for a network manager or IT

manager to statically monitor and configure each device on a network. At the same time,

it takes IT managers a significant amount of time to find and rectify configuration

problems.Network Discovery or Network Management provides solution to this kind of

problem. Using Network Discovery,the administrator can manage all the devices in the

network.

6

Network management: It refers to the broad subject of managing computer networks.

There exists a wide variety of software and hardware products that help network system

administrators manage a network The network management is the collection of tasks

performed to maximize availability, performance, security and control of a network and

its resources. Without powerful and automated network discovery your network

management capabilities cannot scale, be accurate or efficient.

Maintaining an up-to-date picture of the network:Network discovery is a diagnostic

tool because of its inherent ability to discover and maintain accurate and up-to-date

network topologies. The information exposes network mapping, inventory data and

network troubleshooting information that may otherwise be unavailable. Network

administrators can use this information to identify outdated hardware and software, speed

and duplex mismatches and improperly configured devices. For example, using reports,

network discovery can be used to locate ports that are no longer active. This will

determine endpoint devices that have gone out of service. All this things makes the life of

a network administrator easier.

7

2. PROBLEM STATEMENT AND SCOPE OF THE PROJECT

PROBLEM STATEMENT

To find

1. The internetworking devices active/inactive in the network.

2. The OS detection and application running in the remote hosts.

3. Topology generation of the network.

4. To create a usable inventory out of the scan.

Internetworking devices

An internetworking device is a widely-used term for any hardware within networks that connect

different network resources. Key devices that comprise a network are routers, bridges, repeaters

and gateways.

Routers are highly intelligent network devices that are primarily used for large networks and

provide the best data path for effective communication. Routers have memory chips which store

large quantities of network addresses.

Bridges are used to connect two large networks by providing different network services.

Repeaters are used for signal and data regeneration and are primarily responsible for data

amplification.

Gateways are internetworking devices used to convert formats and are the backbone of any

network architecture.

Network discovery can be done in two ways.

IP based device discovery

Non-IP based device discovery

IP based device discovery

Identify devices such as routers, gateways, nodes.

These devices can be identified by their unique IP address.

How do we perform IP based device discovery?

We have made use of the software called Nmap along with its GUI frontend

Zenmap(elaborately discussed later). This software takes IP address range as an input

and replies with their current status (active/inactive). Thus we can identify the active

devices in the network. This software also provides information about how the devices

8

are connected with each other thus enabling us to deduce the topology of the network. If

we are not

Address Resolution Protocol (ARP) is used to find out the MAC address of a device in

your Local Area Network (LAN), for the corresponding IP address, which network

application is trying to communicate. In this way if device is active, it will reply back

with its MAC address but if device is not active ,we won‘t get any reply. The command

which will display the ARP table of current subnet is arp –a. This results with the IP

addresses with the corresponding physical address (MAC address).

Internet Control Message Protocol (ICMP-normally called as ping): Ping is a

computer network administration utility used to test the reach ability of a host on an

Internet Protocol (IP) network and to measure the round-trip time for messages sent from

the originating host to a destination computer. ICMP (Internet Control Message Protocol)

is a message control and error-reporting protocol between a host server and a gateway to

the Internet. ICMP uses Internet Protocol (IP) datagram, but the messages are processed

by the IP software and are not directly apparent to the application user. This is known as

“Layer 3 Discovery” or “Network Layer Discovery”.

Non-IP based device discovery

The devices like switches, hubs, repeaters which do not have the IP address cannot be

identified with the ARP.

We can identify the devices which does not contain any IP address with the help of Open

Source Protocol First (OSPF). This is sometimes known as ―Link Layer Discovery‖ (Layer two

discovery).

SCOPE OF THE PROJECT

We have performed Network Layer Discovery for the IITK private network and the

results obtained are furnished as a part of the project.

9

3. INTRODUCTION TO NMAP

SOFTWARE USED

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon used to

discover hosts and services on a computer network, thus creating a "map" of the network. Many

systems and network administrators also find it useful for tasks such as network inventory,

managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP

packets in novel ways to determine what hosts are available on the network, what services

(application name and version) those hosts are offering, what operating systems (and OS

versions) they are running, what type of packet filters/firewalls are in use, and dozens of other

characteristics.

Unlike many simple port scanners that just send packets at a predefined constant rate, Nmap

accounts for the network conditions (latency fluctuations, network congestion,the target

interference with the scan) during the run. Nmap runs on Linux, Microsoft Windows, Solaris,

HP-UX and BSD variants (including Mac OS X), and also on AmigaOS and SGI IRIX. Linux is

the most popular Nmap platform with Windows following it closely.

Features of Nmap

Nmap features include:

Host discovery - Identifying hosts on a network. For example, listing the hosts which

respond to pings or have a particular port open.

Port scanning - Enumerating the open ports on one or more target hosts.

Version detection - Interrogating listening network services listening on remote devices

to determine the application name and version number.

OS detection - Remotely determining the operating system and hardware characteristics

of network devices.

In addition to these, Nmap can provide further information on targets, including reverse DNS

names, device types, and MAC addresses.

Basic commands working in Nmap

For target specifications:

nmap <targets' URL's or IP's with spaces between them (can also use

CIDR notation)>

e.g. : scanme.nmap.org, gnu.org/24, 192.168.0.1; 10.0.0-255.1-254

10

Host discovery:

-sn: Ping Scan - disable port scan

-Pn: Treat all hosts as online -- skip host discovery

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

--dns-servers <serv1[,serv2],...>: Specify custom DNS servers

--system-dns: Use OS's DNS resolver

--traceroute: Trace hop path to each host

Scan techniques:

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

-sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans

--scanflags <flags>: Customize TCP scan flags

-sO: IP protocol scan

Port specification and scan order:

-p <port ranges>: Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

-F: Fast mode - Scan fewer ports than the default scan

-r: Scan ports consecutively - don't randomize

--top-ports <number>: Scan <number> most common ports

--port-ratio <ratio>: Scan ports more common than <ratio>

Service/version detection:

-sV: Probe open ports to determine service/version info

--version-intensity <level>: Set from 0 (light) to 9 (try all

probes)

--version-light: Limit to most likely probes (intensity 2)

--version-all: Try every single probe (intensity 9)

--version-trace: Show detailed version scan activity (for debugging)

OS detection:

-O: Enable OS detection

Timing and performance:

Options which take <time> are in seconds, or append 'ms'

(milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the

value (e.g. 30m).

-T<0-5>: Set timing template (higher is faster)

--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>:

Specifies probe round trip time.

11

--max-retries <tries>: Caps number of port scan probe

retransmissions.

--host-timeout <time>: Give up on target after this long

--scan-delay/--max-scan-delay <time>: Adjust delay between probes

--min-rate <number>: Send packets no slower than <number> per second

--max-rate <number>: Send packets no faster than <number> per second

Firewall/ids evasion and spoofing:

-S <IP_Address>: Spoof source address

-e <iface>: Use specified interface

-g/--source-port <portnum>: Use given port number

--data-length <num>: Append random data to sent packets

--ip-options <options>: Send packets with specified ip options

--ttl <val>: Set IP time-to-live field

--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address

--badsum: Send packets with a bogus TCP/UDP/SCTP checksum

Output:

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,

and Grepable format, respectively, to the given filename.

-oA <basename>: Output in the three major formats at once

-v: Increase verbosity level (use -vv or more for greater effect)

-d: Increase debugging level (use -dd or more for greater effect)

--reason: Display the reason a port is in a particular state

--open: Only show open (or possibly open) ports

--packet-trace: Show all packets sent and received

--iflist: Print host interfaces and routes (for debugging)

--log-errors: Log errors/warnings to the normal-format output file

--append-output: Append to rather than clobber specified output

files

--resume <filename>: Resume an aborted scan

--stylesheet <path/URL>: XSL stylesheet to transform XML output to

HTML

--webxml: Reference stylesheet from Nmap.Org for more portable XML

--no-stylesheet: Prevent associating of XSL stylesheet w/XML output

Misc:

-6: Enable IPv6 scanning

-A: Enable OS detection, version detection, script scanning, and

traceroute

--datadir <dirname>: Specify custom Nmap data file location

--send-eth/--send-ip: Send using raw ethernet frames or IP packets

--privileged: Assume that the user is fully privileged

--unprivileged: Assume the user lacks raw socket privileges

-V: Print version number

12

Reporting results

The output from Nmap is a list of scanned targets, with supplemental information on each

depending on the options used. Key among that information is the ―interesting ports table‖. That

table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for

connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is

blocking the port, so that Nmap cannot tell whether it is open or closed. Closed ports have no

application listening on them, though they could open up at any time.

Nmap provides four possible output formats for the scan results. All but the interactive output is

saved to a file. All of the output formats in Nmap can be easily manipulated by text processing

software, enabling the user to create customized reports.

Interactive -presented and updated real time when a user runs the Nmap from the

command line. Various options can be entered during the scan to facilitate monitoring.

XML -a format that can be further processed by XML capable tools. It can be converted

into a HTML report using XSLT.

Grepable -output that is tailored to line-oriented processing tools such as grep, sed or

awk.

Normal -the output as seen while running Nmap from the command line, but saved to a

file.

Script kiddie -meant to be the funny way to format the interactive output replacing letters

with their visually alike number representations. For example, Interesting ports becomes

Int3rest|ng p0rtz.

In addition to the interesting ports table, Nmap can provide further information on targets,

including reverse DNS names, operating system guesses, device types, and MAC addresses.

Zenmap – GUI for Nmap

Zenmap is the official Nmap Security Scanner GUI. Frequently used scans can be saved as

profiles to make them easy to run repeatedly. A command creator allows interactive creation of

Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be

compared with one another to see how they differ. The results of recent scans are stored in a

searchable database

13

4. SCANS USED FOR PERFORMING NETWORK DISCOVERY

1. To find the internetworking devices active/inactive in the network.

Input:

a)To find the current status of the remote host give the IP address as the input.

For example: 172.24.40.18 Mode: Regular Scan

b)To find the current status of the devices in the subnet specify the subnet mask address along

with the ip address.

For example: 172.24.40.18/28

2. To find OS and application running in the remote hosts.

Input:

To perform this we specify ‗Intense Scan‘ mode in the tool along with the remote host‘s IP.

For example: 172.24.40.18 Mode: Intense Scan

3. Topology generation of the network.

Input:

To perform this we specify ‗Ping Scan/Quick Scan‘ mode in the tool along with the subnet ip.

For example: 172.24.40.18/28 Mode: Ping Scan

14

5. IMPLEMENTATION AND RESULTS

Network Discovery is meant not only for finding computers and operating systems, but also for

finding network devices such as printers, routers, and bridges. Network Discovery procedure

can be used to find any device on your network that has an IP address.

1. Ping/Broadcast Ping

The ping tool accurately indicates whether the pinged machine is on the Internet or not

(actually, since ping packets can get lost, we always ping an address twice, deeming it

unreachable only if both do not elicit a reply). With suitably small packets, ping also has a low

overhead. Pings to live hosts succeed within a single round-trip time, which is a few tens of

milliseconds, so the tool is fast. Pings to dead or non-existent hosts, however, timeout after a

conservative interval of 20 seconds, so pings to such hosts are expensive.

`Directed broadcast ping‘ refers to a ping packet addressed to an entire subnet rather than just

one machine. This can be done by addressing either the ‗255‘ or the ‗0‘ node in the subnet (e.g.

to broadcast to all nodes in the 128.84.155 subnet, ping 128.84.155.0 or ping 128.84.155.255—

more generally, these two addresses corresponding to extending the subnet address either with all

0s or all 1s). A broadcast ping is received by all hosts in the subnet, each of which is supposed to

reply to originator of the ping. This is useful in finding all the machines in a subnet. Ping

broadcast however is not supported fully in all networks. In some networks, only the router

responsible for that subnet responds to the broadcast ping (we refer to this as the weak

pingbroadcast assumption). In certain networks, broadcast ping is not even responded to at all.

2. Trace route

Trace route discovers the route between a probe point and a destination host by sending

packets with progressively increasing TTLs. Routers along the path, on seeing a packet with a

zero TTL, send ICMP TTLexpired replies to the sender, which tallies these to discover the path.

Trace route is usually accurate because all Internet routers are required to send the TTL-expired

ICMP message. However, some ISPs are known to hide their routers from trace route by

manipulating these replies to collapse their internal topology.

This reduces both the accuracy and the completeness of topologies discovered using trace

route. Trace route sends two probes to every router along the path, so it generates considerably

more overhead than ping. Since probes to consecutive routers are spaced apart to minimize the

instantaneous network load, the time to complete a trace route is also much longer than a ping.

15

Problem Statement 1

To find the internetworking devices active/inactive in the network

Implementation

This involves layer 3 discovery which is implemented using Network Scanner or

NMAP/Zenmap Network Management tools. This involves the ICMP protocol which commonly

generates the ‗ping‘ or ‗traceroute‘ commands to query the remote host‘s status.

Those devices which are currently ‗up‘ will be termed as active in the network whereas

those which are ‗down‘ are termed as inactive. To find out the status of the remote host using IP

address only we use Zenmap tool. This will generate an output which is shown as follows:

Fig1.Zenmap showing Host is up with MAC address

16

Fig 2. Corresponding topology

Fig 3.Zenmap showing Host is down

17

Zenmap can be used to find out the status of various remote hosts in the subnet or more generally

in a network which include routers also. For this we have to specify one IP address along with its

mask address which will provide an output corresponding to which all the nodes in the network

are checked about their current status. The results for this scan is as shown below:

Fig 4. Zenmap showing what hosts are up in a subnet

Problem Statement 2

The OS detection and application running in the remote hosts.

18

Implementation

To find out what applications remote host is running mainly nmap command is used in

the Command window/Terminal whose output is not clearly understood by the user. To make it

more user-friendly we are using the Zenmap Tool. It takes the IP address of the remote host as a

input and will generate the output which shows what OS and what application are running in

Intense Scan Mode. An example of this is shown below:

Fig 5: Zenmap showing the OS details of the host

19

Problem Statement 3

Topology generation of the network.

Implementation

To find out the connectivity to the remote host we are using the solution to Problem

Statement 1.This back-end output of above can be converted into front-end graphical output

using Zenmap tool only. We can generate the graphical topology showing that how the nodes are

interconnected in a subnet or more generally in a network.

Fig 6. Zenmap showing topology of the subnet

From the above figure, we observe that host is only one hop away from the destination. Thus

there is no device working as a router. Now if remote host is located outside the subnet, a router is

required to connect to it. It also points out what is the Latency between local host and target node.

So delay is the cost metric. So to access such node we are going via router and it is shown in

following figure:

20

Fig 7.Zenmap showing the local host connected to remote host via router

A gateway router is required when an internal host is to be connected to a remote host in an outer

network. Hence, they are internetworking devices. The following topology diagram shows how

the gateway router is connecting between hosts in two different networks:

Fig 8. Zenmap showing the local host connected to remote host via a gateway router

21

Problem Statement 4

To create a usable inventory out of the Nmap scan

Implementation

A portable format is likely needed. Comma-separated values (CSV) are ideal, as this format can

be loaded easily into spreadsheet and database programs.

The inventory created by nmap is a network-based inventory. The inventory created provides

information that is critical to system, application and protocol management, such as a system's IP

address, its operating system and the applications that it is running on network ports.

Nmap supports the output parameter (-o) to influence how it should write data to standard out.

By using it combined with G (-oG), nmap will create output that grep can work easily with,

which makes our inventory creation much easier.

Using operating system identification and the ―grepable‖ output formatting, the following

command can be used to run the raw reports and output the report to report.txt:

nmap -O -oG report.txt 172.24.1.0/24

grep "OS:" report.txt | sed 's/Host: //' | sed 's/Ports.*OS://' | sed 's/Seq.*$//' | sed 's/(//' | sed 's/)//' |

awk '{print "\"" $1 "\",\""$2"\"," $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " "

$12 " " $13 " " $14 "\""}' >report.csv

pipes the nmap output contained in the .txt file to awk to add quotes and commas for the CSV

file.

A snapshot of the text and tabular format generated using the above command at the terminal

window is given below:

22

Fig 9. Text file showing the results of a scan with details of port, OS running on the device etc

Fig 10. Corresponding Inventory of the above scan

23

6.CONCLUSION

A thorough survey of the IITK private network was performed using Nmap and interconnection

between the various IP layer nodes was observed through their topology. As expected, the

remote hosts within the subnet were reachable from the local host in 1 hop whereas outside the

subnet it takes more than 1 hop. Knowledge of the OS and services running on the remote hosts

gave a thorough understanding of the discovered devices.

Proposed future developments in the field of Network Discovery:

Reducing the delay in discovery of devices.

Checking correctness of discovered data for guaranteed result (verification of network

discovery)

History of changes in network topology would be also helpful to analyze the occurrence of

failures or unintentional behavior

Network Discovery in wireless networks as they pose harsh, uncertain, and dynamic

environments, along with energy and bandwidth constraints.

24

REFERENCES

1. www.nmap.org

2. www.technet.microsoft.com

3. www.wikipedia.org

4. Nmap Network Scanning by Gordon ―Fyodor‖ Lyon