Automated NetworkTopology Detection

Ryan Twomey ’06

Advisor: Prof. Jerry Breecher

Project Goals

1. To create a system that automatically determines the network topology with minimal user intervention

2. Portable: can be used in any network environment, regardless of complexity

3. Graphical user interface that allows editing and saving in common file format

Intended Uses

• Real-time monitoring for systems administrators, analysts, and managers

• Intrusion-detection/security systems

• IT asset tracking

• Improved performance routing and fault-tolerance (rerouting)

Topology Detection Methods

Existing Methodologies• SNMP Only

– Ask routers what their routing tables and active hosts databases are

• Ping broadcast + SNMP followup– Send pings to all possible IPs and ask routers/PC’s for

additional information

• Ping broadcast + Subnet Hopping– Send pings to all possible IPs and guess that subnets are at

early IP addresses (if found, jump to that subnet and continue)

• DNS discovery + Traceroute– Determine all hosts on network via DNS and trace routes to

each host found this way

• Ping broadcast + Traceroute– Send pings to all possible IPs and trace route to each host

Comparison of Methods

Methodology Advantages Drawbacks OverallSNMP only Lots of info Not easily accessible Very poor

Ping broadcast + SNMP

Complete/lots of info

Pings dropped/not easily accessible

Poor to Average

Ping broadcast + Subnet hopping

Complete Pings dropped/subnets not setup

Poor to Average

DNS discover + traceroute

Names + routes DNS not setup/trace packets dropped

Average to Good

Ping broadcast + traceroute

Complete + routes

Ping and trace packets dropped

Good

Difficulties with all Methods

• Transparent devices: can’t find everything– Switches, hubs

– Non-addressable devices

• Difficulty determining device type

• Security implications & configuration of SNMP/pings/DNS

• Potential for flooding

• Determining link types (timing unreliable)

My Method

• Chose Ping broadcast + Traceroute method– Best success rates/relatively easy to implement

• Can be improved by combining methods– Add SNMP for increased info gathering

– Correlate routing tables for finding networks

• Fallback methods (if pings dropped, attempt DNS detection, etc)

Ping & Traceroute Method

• For each host, see if it’s alive

• If so, attempt to trace the route to it using successively larger TTL’s

Finding Hosts (Ping Step)

• Send ICMP echo packet

• Response?

– Yes: Save host to trace route

– No: Try again up to 3 times

Finding Route to Host

• Send ICMP packets with TTL of 0, 1, …, 30

• Forces each router to determine packet

“expired” and sends error packet back to us

• When host is reached, route is finished

TTL = 0 TTL = 1+

Enhanced Info Gathering

• SNMP– Type of device and current status

– Not available on all devices

– Security implications

• User-input– Slow & prone to becoming out of date

• NMAP– Only guesses based on TCP “fingerprinting”

NMAP• Open Source, cross-platform network

scanner

• Can “fingerprint” host:– Sends UDP & TCP packets to host– Checks response bits, TCP window size, etc– 1500 OS’s in database

Watches all network trafficto and from host

Netdiscover

An implementation to automatically detect network topology

Netdiscover Technologies

SVG

C

Threads

AJAXJava

JavascriptServlets

JNI

CSS

Make

HTML

JAR

Jetty

RouterEthernet

Tomcat

Ant

daemon

Switch

Apache

Mutex

DOM

Adobe SVG

XML

Hub

Firewall

RSP

SNMP

NMAP

ICMP

TCP

IP

Me JSP

WAR

Netdiscover Implementation

• C Library– Necessary for speed and to access raw sockets

– Easily portable (any POSIX/Socket system)

– Bindings for other languages (Java, Perl, etc)

• Java implementation using JNI & custom “glue”

• Two usage models:– Find all hosts and routes on class A/B/C/D network

– Determine if host is up & route to it (a la carte method)

Java Native Interfaces

• Sun technology to access methods in other languages via Java

• Create Java “glue” code that translates custom C data structures to palatable Java classes

VM

OS

The JNI Toolchain

The JNI Toolchain

Glue code

Implementation

What the user sees

Includes Netdiscover library code

Language Toolchain

Language Toolchain

JNI

Drawing

Most recent web browsers natively

support SVG

Drawing Diagrams

• Use predefined SVG graphics for network elements (servers, switches, firewalls, etc)

– Scale these elements as necessary (zooming, fitting, etc)

• Draw network segments as large “cloud”

– Connect these clouds based on routes

• User editable: can add elements and links

Diagramming Algorithm

Network segments consist of routers, switches, hubs, etc

Hidden concentric circles used to align server elements

Diagramming AlgorithmOnce servers have been added, can draw link lines

Diagramming Algorithm

Additional concentric circles can be used if necessary

LET’S SEE A DEMO!

Graphic by Dan Jurgens. All Marvel characters and the distinctive likeness(es) thereof are Trademarks & Copyright (c) 1941-2005 Marvel Characters, Inc. ALL RIGHTS RESERVED.

LET’S SEE A DEMO!

Web

Graphic by Dan Jurgens. All Marvel characters and the distinctive likeness(es) thereof are Trademarks & Copyright (c) 1941-2005 Marvel Characters, Inc. ALL RIGHTS RESERVED.

Linking Network Segments

Next Steps

Automated Video Production

• Stores network topology changes in database

• Can generate SVG animation automatically based on these changes

• String together to form video showing changes over time

Mapping the Internet

• Robust diagramming technology

• Distributed client to minimize network traffic from any one source– Single reconciliation/serving point– Multiple locations test same points– Impossible to use point-to-point timing

• Regular/continuous updates

• Promote widespread usage of SVG

Sources

• Fairhurst, Gorry. Internet Control Messaging Protocol (ICMP). <http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp.html>

• Wikipedia. OSI Model. <http://en.wikipedia.org/wiki/OSI_model>

• Haden, Rhys. ICMP (Internet Control Messaging Protocol). <http://www.rhyshaden.com/icmp.htm>

• Newmarch, Jan. Java Native Interface. <http://jan.netcomp.monash.edu.au/internetdevices/jni/lecture.html>

• Spider-Man graphic by Dan Jurgens. All Marvel characters and the distinctive likeness(es) thereof are Trademarks & Copyright (c) 1941-2005 Marvel Characters, Inc. ALL RIGHTS RESERVED. <http://en.wikipedia.org/wiki/Image:BenR_SpiderMan.jpg>

• XML.com. An Introduction to Scalable Vector Graphics. <http://www.xml.com/pub/a/2001/03/21/svg.html>

• Mozilla Foundation. SVG in Firefox 1.5. <http://developer.mozilla.org/en/docs/SVG_in_Firefox_1.5>

Sources

Sources

• WWW Consortium. Scalable Vector Graphics (SVG). <http://www.w3.org/Graphics/SVG/>

• Wikipedia. AJAX (Programming). <http://en.wikipedia.org/wiki/AJAX>

• Mortbay/Consulting. Jetty Java HTTP Server. <http://jetty.mortbay.org/jetty/index.html>

• Sun Microsystems. J2EE: Java Servlet Technology. <http://java.sun.com/products/servlet/>

• Sun Microsystems. J2EE: Java Server Pages Technology. <http://java.sun.com/products/jsp/>

Sources

• O’Reilly Network. SVG On the Rise. <http://www.oreillynet.com/pub/a/javascript/2002/06/06/svg_future.html>

• Cisco Systems, Inc. Simple Network Management Protocol (SNMP). <http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm>

• Wikipedia. Simple Network Management Protocol. <http://en.wikipedia.org/wiki/Simple_network_management_protocol>

• Sun Microsystems. Java Native Interface. <http://java.sun.com/j2se/1.4.2/docs/guide/jni/>

Interesting Links

• NMAP Project: http://www.insecure.org/nmap/

• Apache Jakarta/Tomcat Project: http://jakarta.apache.org/

• Adobe SVG Viewer: http://www.adobe.com/svg/

• W3C SVG Standard: http://www.w3.org/Graphics/SVG/

• AJAX: http://developer.mozilla.org/en/docs/AJAX

• Javascript Effects Library: http://script.aculo.us/

• Open Clip Art Library. http://www.openclipart.org

• Draconis Software: RSP Network Management: http://www.dracoware.com/