Monitoring the network
smoot at tic.com
Mon Jan 26 19:14:43 UTC 2009
On Mon, 2009-01-26 at 08:20 -0500, Bart Silverstrim wrote:
> If I have a range of IPs that I *know* should be populated by particular
> machines, but there are gaps in the IP range that are designated "to be
> filled" and I want to watch to make sure nothing "appears" in them is
> there a way to have my Ubuntu machine watch and notify me if activity
> appears on those IP's that should be empty but aren't, preferably by email?
> Ideally I could have a text file of IP's and machine names, or at least
> IP's in that range that should be full so that if something appeared as
> activity on other addresses they'd be flagged and I'd be emailed that "a
> machine named $HOSTNAME was found on $IP with MAC address of $MAC"
> Is there a simple script or application that can do something like this?
> I know it wouldn't be comprehensive since my computer isn't a gateway
> and seeing ALL traffic but I'm thinking it should see, or chances are
> would see, traffic from ARP "who has" requests or something similar on a
> windows network, and at least be another layer of monitoring.
nmap is probably useful here. Something like:
nmap -sP -iL <input IP list filename> -oG - | grep -v '^#' | mailx -e -s 'Network scan' user at domain
is a simple hack. Please not the "grep" output (-oG) of nmap is
deprecated and for more sophisticated reporting, you might want to
consider producing XML output. See the nmap man page for details. This
pipeline will only send email if a host is pingable (e.g. the -e flag to
mailx enforces not sending an empty mail message).
I am sure there are other more sophisticated tools out there to do this
type of monitoring, but the above may be all you need.
Computer Systems and
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005
More information about the ubuntu-users