lanmap sits quietly on a network and builds a picture of what it sees.
sudo apt-get install lanmap
or even better to get lanmap2:
git clone firstname.lastname@example.org:rflynn/lanmap2.git
otherwise there is a horrible, but popular, zipped snapshots of revisions.
Before you install lanmap, install graphviz. lanmap uses it.
Linux/BSD users: you'll need libpcap installed; good news is you may already have it (tcpdump uses it).
libpcap is included with the Windows project.
I wrote lanmap because I realized that there is almost always a disparity between what people think
is happening on a computer network and what is actually happening. There are many clues right under our
noses, but it is difficult to get the 'big picture' with a tool like tcpdump
lanmap simply listens to all available traffic on the interface of your choice, figures out who's talking to
who, and how much and using which protocols. from each packet we can usually glean some little hint at which
machines exist, who is providing what services, and how heavily connected each machine is. lanmap regularly
generates a snapshot in the form of a human-readable 2d network graph.
- I have a big network and lanmap only shows me part of it!
- Indeed. lanmap is passive and won't work beyond switches.
- Does lanmap scan my network?
- No. lanmap generates no network traffic whatsoever. lanmap simply listens.
- Is lanmap a cracker tool?
- No, lanmap is passive and cannot be used to scan or test your network for vulnerabilities or exploit them.
- Is lanmap a security hazard?
- Maybe. lanmap can't be used to gain access and it doesn't scan. It just represents the network traffic
it sees in an interesting and useful way. You already need to be on a network in order to use it. If someone
you don't trust already has access to your network, lanmap is not going to be your problem.
However, in order to gather the most data lanmap must run libpcap in "promiscuous mode" which allows us to
look at traffic that isn't intended for us. This requires root, which means lanmap must run as root. Any application running
as root is a potential liability, and lanmap has not been audited for security, meaning no gaurentees can be made that there
aren't any bugs.
So, is it a security risk? In a tightly controlled environment, yes. If your normal user account is root or Administrator, then
not so much.
- now generating SVG images instead of PNG... this actually saves a LOT of cpu upon generation, and uses more on rendering,
which is a good trade-off.
- IPv6 fixes... still more to come, IPv6 is pretty complicated and i don't understand all of it yet
- rev 106
- IPv6 support should work much better now. various IPv6 changes, including adding support for Teredo (tunneling IPv6 over IPv4 udp).
- printer support - fixed detection of printers over IPX SAP, now they show up! IPX SAP support also gets us some file
servers that broadcast over IPX.
- more detail - bandwidth is now reported in human-readable format, and the most-used protocol for each link is reported.
- more recognition - added detection and accounting for many new protocols, but not full support. for instance,
now we can account for SNMP traffic for reporting purposes, though we don't actually parse the SNMP.
- carterman fixed up the solution files for win32.
- got a copy of Windows NT 4 SP1 and SP3 upgrade as well as Redhat Linux 5.2 in the mail today. installed
them in VMWare, studying their network activity. DHCP DISCOVER and REQUEST msgs actually differ slightly between NT 4 SP1 and
SP3! Redhat is being a pain in the ass. i still have no idea how exactly Ping "Indentifiers" are chosen by Windows.
been spending all my spare time on lanmap, my project to turn passively-collected lan traffic into a single cohesive
graph. a lot of my time has been spent on OS detection... it is quite possible to discern, from a small amount of basic
passively-collected network traffic, what operating system is sending it.
i've installed the excellent VMWare and have been trying to get my hands on all OSes
i can to test them. so far: linux 2.x, (net|free|open|dragonfly)bsd, mac os (9|x), win(98|nt4|2k-sp[1-6]|xp-sp), cisco ios
and novell netware. i'm trying to get my hands on linux 1.x, dos, win95, win3.1 and i still need to figure out how to ID
i need the following data for research, if you're interested: network captures (.pcap format if possible, check out
ethereal) of basic network activity (web browsing, pings/pongs) from a known machine or
machines along with a list of IPs -> Operating System. be as specific as possible with OS, WinXP won't cut it,
i need Windows XP Pro 2002 Service Pack 2 + firewall. i'm not interested in the content of the web page you're browsing,
or to whom you're sending PINGs; i'm interested in the actual structure of the packet headers.
in particular i'd like caps of the following OSes:
email the pcap files to parseerror *at* gmail. thanks in advance!
- WinXP pre-SP1
- Windows Vista Beta
- Linux 2.0 and 1.x-based distros
- Windows 3.11
- Windows 95
- Windows 98
- Windows ME
- Windows NT 3.51
- Windows NT 4 various Service Packs
- Solaris, any version
- Cisco IOS, any version
- DOS, any version
- MacOS 8 or earlier
- OS/2, any version
- any dedicated routers/firewalls
- any embedded OS
- anything running on non-x86 platforms
- anything weird i haven't mentioned that supports ethernet
lanmap should compile and run on Linux, Windows and the BSDs (including OS X); lemme know. you'll need:
you can get a zip of the current repository lanmap-current.zip, or if you're interested
in possibly contributing....
- libpcap (NOTE: the windows version is included in the project; *nix probably already has, it's
part of the ubiquitous tcpdump)
- graphviz to generate the resulting graphs
svn co svn://parseerror.dyndns.org/lanmap/trunk/ lanmap
get subversion: TortoiseSVN (a great tool for windows) and for the rest of you,
official subversion packages
*nix users can just type
make, windows users need Visual Studio .NET to compile the .sln
(the .proj might work in VS6, haven't tried)
on *nix, run with superuser privileges (yes, that sucks and is inherently more dangerous)
every 60 seconds(default) the file graph/lanmap.png will be updated with the latest and greatest picture of the network,
as the box you're running on sees things.
- Operating System Family Trees:
moved the svn server off of my workstation onto a real machine, yay. should be more accessible.
i've been busy the last few weeks working on producing a visual map of a live network using only passively-collected traffic.
using libpcap to fetch raw traffic and using graphviz
to produce the visuals, i wrote a couple thousands of lines of C to parse and keep track of many different types of
the OS detection stinks and some stuff is wrong, but it's actually not a bad representation. so far it parses Ethernet2, IEEE 802.3,
LLC, CDP, STP, ARP, IP, UDP, TCP, IPX, SAP, ICMP, BOOTP and NETBIOS datagram. i've attempted DNS, what a nightmare DNS is to parse.
i'm not using any database to store the data, it's all in hash tables, which keeps the app more self-contained and keeps
dependencies low, but limits the kind of reporting i can do. there's still lots to improve... i've been looking at michael zalewski's
p0f tool; it is much more elegant, simple and fool-proof than my OS detection,
i should probably incorporate it.
it is amazing what machines will send out to the network... ethernet manufacturer is mantainable by MAC address prefix, most
OSes will send out OS name and version in the "vendor class" entry of a BOOTP message, OS hints can be found in
ICMP echo requests (pings) and traceroute pings. OS is determinable from most HTTP User-Agent strings. some of that is
easily faked. p0f on the other hand, can detect most OSes purely by analyzing TCP SYN headers against a database of
known fingerprints, and can also detect things like NAT and firewalls, not quite sure how yet.
other things i need to figure out is how better to handle traffic to/from gateways, and also come up with a more informative
visual representation of machines based on what i know about them. also, identification of printers, and better handling of
bridges and routers.
this graph was generated using graphviz's `twopi` program, which generates a circular undirected graph... the `neato` program
generates better output, but crashes when using external images as nodes, i'm trying to debug and correct this error...
svn co svn://parseerror.dyndns.org/lanmap/trunk/ lanmap
so far the code has been compiled using gcc 3.3.5 on linux and gcc 4.0 on mac os x. the project isn't mature or robust, but
it probably won't crash, definitely won't disrupt your network and just might show you something interesting.
if you can compile it and run it i'd be interested to see what your graphs look like.