Monitoring the network

[Smoot Carl-Mitchell]

On Mon, 2009-01-26 at 08:20 -0500, Bart Silverstrim wrote:

> If I have a range of IPs that I *know* should be populated by particular 
> machines, but there are gaps in the IP range that are designated "to be 
> filled" and I want to watch to make sure nothing "appears" in them is 
> there a way to have my Ubuntu machine watch and notify me if activity 
> appears on those IP's that should be empty but aren't, preferably by email?
> 
> Ideally I could have a text file of IP's and machine names, or at least 
> IP's in that range that should be full so that if something appeared as 
> activity on other addresses they'd be flagged and I'd be emailed that "a 
> machine named $HOSTNAME was found on $IP with MAC address of $MAC"
> 
> Is there a simple script or application that can do something like this? 
> I know it wouldn't be comprehensive since my computer isn't a gateway 
> and seeing ALL traffic but I'm thinking it should see, or chances are 
> would see, traffic from ARP "who has" requests or something similar on a 
> windows network, and at least be another layer of monitoring.

nmap is probably useful here.  Something like:

nmap -sP -iL <input IP list filename> -oG - | grep -v '^#' | mailx -e -s 'Network scan' user at domain

is a simple hack.  Please not the "grep" output (-oG) of nmap is
deprecated and for more sophisticated reporting, you might want to
consider producing XML output.  See the nmap man page for details.  This
pipeline will only send email if a host is pingable (e.g. the -e flag to
mailx enforces not sending an empty mail message).

I am sure there are other more sophisticated tools out there to do this
type of monitoring, but the above may be all you need.
-- 
Smoot Carl-Mitchell
Computer Systems and
Network Consultant
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005