4

I have been tasked with enabling the local firewall on 100+ servers. The systems are running many different applications using many different ports. I began with an nmap scan, but without going to each system and watching the data flow (tcpdump) I can't think of a way that I can see if those open ports are actually being connected to and utilized. I know there are likely difficult ways to do this, but i'm hoping there's an easy one too.

Is there a tool/script out there that will watch open ports (like netstat) over time (unlike netstat without fancy scripting) and put the results into some archival/log form?

moniker
  • 85
  • 5

3 Answers3

2

What kind of switch/routing gear is in the middle of all this? The reason I ask is that this seems to be a perfect case for sampling netflow data from your switches. This would, of course, require network gear that supports exporting netflow data, though.

Short of that, all I can think of would be running tcpdump on each host and then aggregating the data somehow. This should be easily scriptable, though, if need be.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • I just asked the network guys if our gear supports netflow and they said yes. I have played with ntop in the past, and have a pretty decent understanding of packet structures but I have never produced or interacted with a netflow. How steep is the learning curve (given that I am already familiar with grep/awk/sed parsing tools) – moniker Aug 23 '10 at 19:57
  • Honestly, someone else will need to speak to that. Being that I'm in the systems group at $WORK (not the network group), I don't have a whole lot of experience with netflow. I just knew enough to realize that this would be an ideal use for it. One very nice thing about netflow is that you don't need to capture every packet like you would with tcpdump. You can get stats on, say one out of every ten packets, leaving you with a much more manageable data set. – EEAA Aug 23 '10 at 20:02
1

I'd go with tcpdump and nmap: first I'd scan the target machines looking for open ports and assume that those ports are in use, with the goal of narrowing down your tcpdump portrange parameter for TCP and UDP. I'd then run tcpdump -w /some/file.pcap portrange <your_nmap_range> for a day or week or whatever and grep it afterwards for established connections.

You may also be able to do something similar with perfmon if you want to stick Windows. I'm pretty sure there's TCP/IP counters and they may also include the process id that you can narrow down.

You may also find tcpview of use from Sysinternals, but I don't know if it can log or not.

gravyface
  • 13,957
  • 19
  • 68
  • 100
  • I considered using nmap and windump (tcpdump for windows) but it seems like such a pain - scan a host, isolate ports discovered, watch the traffic, parse the resulting logs x100. > – moniker Aug 23 '10 at 21:12
  • No doubt. I guess Netflow would work, but are these hosts all on the same network? Depending on the switch(es) capabilities, you could also port mirror and perhaps setup something like Cacti to give you some aggregate data per host, per port, etc. – gravyface Aug 24 '10 at 00:35
  • Yes - they are all on the same network. – moniker Aug 24 '10 at 16:15
0

This sounds like a "right tool" for the job type of question. I love a good command line; however, for something like this you really want to investigate GUI and database-backed tools that will do automatic network dependency mapping. Numerous vendors sell such a thing, and many offer 30 day free trials (Ipswitch WhatsUp immediately comes to mind).

cixelsyd
  • 291
  • 1
  • 4