/ lanmap


lanmap is abandoned; do with it as you please

I have a complete rewrite called lanmap2 that you might like; feel free to contribute

lanmap sits quietly on a network and builds a picture of what it sees.

  • What

    lanmap sits quietly on a network and builds a picture of what it sees.

  • Where

    Linux users: sudo apt-get install lanmap

    or even better to get lanmap2: git clone

    otherwise there is a horrible, but popular, zipped snapshots of revisions.


    Before you install lanmap, install graphviz. lanmap uses it.

    Linux/BSD users: you'll need libpcap installed; good news is you may already have it (tcpdump uses it). libpcap is included with the Windows project.

  • Why

    I wrote lanmap because I realized that there is almost always a disparity between what people think is happening on a computer network and what is actually happening. There are many clues right under our noses, but it is difficult to get the 'big picture' with a tool like tcpdump

  • How?

    lanmap simply listens to all available traffic on the interface of your choice, figures out who's talking to who, and how much and using which protocols. from each packet we can usually glean some little hint at which machines exist, who is providing what services, and how heavily connected each machine is. lanmap regularly generates a snapshot in the form of a human-readable 2d network graph.

  • FAQ

    I have a big network and lanmap only shows me part of it!
    Indeed. lanmap is passive and won't work beyond switches.
    Does lanmap scan my network?
    No. lanmap generates no network traffic whatsoever. lanmap simply listens.
    Is lanmap a cracker tool?
    No, lanmap is passive and cannot be used to scan or test your network for vulnerabilities or exploit them.
    Is lanmap a security hazard?
    Maybe. lanmap can't be used to gain access and it doesn't scan. It just represents the network traffic it sees in an interesting and useful way. You already need to be on a network in order to use it. If someone you don't trust already has access to your network, lanmap is not going to be your problem.

    However, in order to gather the most data lanmap must run libpcap in "promiscuous mode" which allows us to look at traffic that isn't intended for us. This requires root, which means lanmap must run as root. Any application running as root is a potential liability, and lanmap has not been audited for security, meaning no gaurentees can be made that there aren't any bugs.

    So, is it a security risk? In a tightly controlled environment, yes. If your normal user account is root or Administrator, then not so much.

  • News

      • now generating SVG images instead of PNG... this actually saves a LOT of cpu upon generation, and uses more on rendering, which is a good trade-off.

        SVG viewing:

      • IPv6 fixes... still more to come, IPv6 is pretty complicated and i don't understand all of it yet
    • rev 106
      • IPv6 support should work much better now. various IPv6 changes, including adding support for Teredo (tunneling IPv6 over IPv4 udp).
      • printer support - fixed detection of printers over IPX SAP, now they show up! IPX SAP support also gets us some file servers that broadcast over IPX.
      • more detail - bandwidth is now reported in human-readable format, and the most-used protocol for each link is reported.
      • more recognition - added detection and accounting for many new protocols, but not full support. for instance, now we can account for SNMP traffic for reporting purposes, though we don't actually parse the SNMP.
      • carterman fixed up the solution files for win32.
    • got a copy of Windows NT 4 SP1 and SP3 upgrade as well as Redhat Linux 5.2 in the mail today. installed them in VMWare, studying their network activity. DHCP DISCOVER and REQUEST msgs actually differ slightly between NT 4 SP1 and SP3! Redhat is being a pain in the ass. i still have no idea how exactly Ping "Indentifiers" are chosen by Windows.
    • been spending all my spare time on lanmap, my project to turn passively-collected lan traffic into a single cohesive graph. a lot of my time has been spent on OS detection... it is quite possible to discern, from a small amount of basic passively-collected network traffic, what operating system is sending it. i've installed the excellent VMWare and have been trying to get my hands on all OSes i can to test them. so far: linux 2.x, (net|free|open|dragonfly)bsd, mac os (9|x), win(98|nt4|2k-sp[1-6]|xp-sp[012]), cisco ios and novell netware. i'm trying to get my hands on linux 1.x, dos, win95, win3.1 and i still need to figure out how to ID printers.

      i need the following data for research, if you're interested: network captures (.pcap format if possible, check out ethereal) of basic network activity (web browsing, pings/pongs) from a known machine or machines along with a list of IPs -> Operating System. be as specific as possible with OS, WinXP won't cut it, i need Windows XP Pro 2002 Service Pack 2 + firewall. i'm not interested in the content of the web page you're browsing, or to whom you're sending PINGs; i'm interested in the actual structure of the packet headers. in particular i'd like caps of the following OSes:

      • WinXP pre-SP1
      • Windows Vista Beta
      • Linux 2.0 and 1.x-based distros
      • Windows 3.11
      • Windows 95
      • Windows 98
      • Windows ME
      • Windows NT 3.51
      • Windows NT 4 various Service Packs
      • Solaris, any version
      • Cisco IOS, any version
      • DOS, any version
      • MacOS 8 or earlier
      • OS/2, any version
      • any dedicated routers/firewalls
      • any embedded OS
      • anything running on non-x86 platforms
      • anything weird i haven't mentioned that supports ethernet
      email the pcap files to parseerror *at* gmail. thanks in advance!

      lanmap should compile and run on Linux, Windows and the BSDs (including OS X); lemme know. you'll need:

      • libpcap (NOTE: the windows version is included in the project; *nix probably already has, it's part of the ubiquitous tcpdump)
      • graphviz to generate the resulting graphs
      you can get a zip of the current repository, or if you're interested in possibly contributing....

      svn co svn:// lanmap

      get subversion: TortoiseSVN (a great tool for windows) and for the rest of you, official subversion packages

      *nix users can just type make, windows users need Visual Studio .NET to compile the .sln (the .proj might work in VS6, haven't tried)

      on *nix, run with superuser privileges (yes, that sucks and is inherently more dangerous)

      every 60 seconds(default) the file graph/lanmap.png will be updated with the latest and greatest picture of the network, as the box you're running on sees things.

    • Operating System Family Trees:
    • moved the svn server off of my workstation onto a real machine, yay. should be more accessible.
    • i've been busy the last few weeks working on producing a visual map of a live network using only passively-collected traffic. using libpcap to fetch raw traffic and using graphviz to produce the visuals, i wrote a couple thousands of lines of C to parse and keep track of many different types of network traffic. the OS detection stinks and some stuff is wrong, but it's actually not a bad representation. so far it parses Ethernet2, IEEE 802.3, LLC, CDP, STP, ARP, IP, UDP, TCP, IPX, SAP, ICMP, BOOTP and NETBIOS datagram. i've attempted DNS, what a nightmare DNS is to parse. i'm not using any database to store the data, it's all in hash tables, which keeps the app more self-contained and keeps dependencies low, but limits the kind of reporting i can do. there's still lots to improve... i've been looking at michael zalewski's p0f tool; it is much more elegant, simple and fool-proof than my OS detection, i should probably incorporate it.

      it is amazing what machines will send out to the network... ethernet manufacturer is mantainable by MAC address prefix, most OSes will send out OS name and version in the "vendor class" entry of a BOOTP message, OS hints can be found in ICMP echo requests (pings) and traceroute pings. OS is determinable from most HTTP User-Agent strings. some of that is easily faked. p0f on the other hand, can detect most OSes purely by analyzing TCP SYN headers against a database of known fingerprints, and can also detect things like NAT and firewalls, not quite sure how yet.

      other things i need to figure out is how better to handle traffic to/from gateways, and also come up with a more informative visual representation of machines based on what i know about them. also, identification of printers, and better handling of bridges and routers.

      this graph was generated using graphviz's `twopi` program, which generates a circular undirected graph... the `neato` program generates better output, but crashes when using external images as nodes, i'm trying to debug and correct this error...

      svn co svn:// lanmap

      so far the code has been compiled using gcc 3.3.5 on linux and gcc 4.0 on mac os x. the project isn't mature or robust, but it probably won't crash, definitely won't disrupt your network and just might show you something interesting. if you can compile it and run it i'd be interested to see what your graphs look like.