126 Unfortunately, some of the developers of these tools cant seem to decide whether they are writing for responsible users or crackers. As previously noted, some tools include questionable features, such as support stealth scans or forged IP addresses. In general, I have described only those features for which I can see a legitimate use. However, sometimes there is no clear dividing line. For example, forged IP addresses can be useful in testing firewalls. When I have described such features, I assume that you will be able to distinguish between appropriate and inappropriate uses.

6.7 Microsoft Windows

Traditionally, commercial tools for network management have typically been developed for Unix platforms rather than Windows. Those available under Windows tended not to scale well. In the last few years this has been changing rapidly, and many of the standard commercial tools are now available for Windows platforms. A number of packages support IP scanning under Windows. These include freeware, shareware, and commercial packages. Generally, these products are less sophisticated than similar Unix tools. For example, stealth scanning is usually lacking under Windows. Personally, Im not sure this is something to complain about. Nonetheless, there are a number of very impressive noncommercial tools for Windows. In fact, considering the quality and functionality of some of these free packages, it is surprising that the commercial packages are so successful. But free software, particularly in network management, seems to have a way of becoming commercial software over time—once it has matured and developed a following.

6.7.1 Cyberkit

One particularly impressive tool is Luc Neijens cyberkit. The package works well, has a good help system, and implements a wide range of functions in one package. In addition to IP scanning, the program includes, among others, ping, traceroute, finger, whois, nslookup, and NTP synchronization. With cyberkit, you can scan a range of addresses within an address space or you can read a set of addresses from a file. Figure 6-3 shows an example of such a scan. Figure 6-3. IP scan with cyberkit 127 Here you can see how to specify a range of IP addresses. The button to the right of the Address Range field will assist you in specifying an address range or entering a filename. If you want to use a file, you need enter only the path and name of a text file containing a set of addresses, one address per line. Notice that you can use the same tab to resolve addresses or do port scans of each address. There are a number of other tools you might consider. getif, which makes heavy use of SNMP, is described in Chapter 7 . You might also want to look at Sam Spade. Sam Spade is particularly helpful when dealing with spamming and other email related problems.

6.7.2 Other Tools for Windows

The good news is that Tcl, Tk, scotty, and tkined are all available for Windows platforms. Tcl and Tk seem to be pretty stable ports. tkined is usually described as an early alpha port but seems to work fairly well. Youll want a three-button mouse. The interface is almost identical to the Unix version, and I have moved files between Windows and Unix platforms without problems. For example, you could create maps on one and move them to another for monitoring. Moreover, the tnm extensions have been used as the basis for additional tools available for Windows. If you use Microsoft Exchange Server, a topology diagramming tool called emap can be downloaded from Microsoft. It will read an Exchange directory and automatically generate a Visio diagram for your site topology. Of course, youll need Visio to view the results. Finally, if you are using NetBIOS, you might want to look at the nbtstat utility. This command displays protocol statistics and current TCP connections using NetBIOS over TCPIP NBT. You can use this command to poll remote NetBIOS name tables among other things. The basic syntax is returned if you call the program with no options. 128

Chapter 7. Device Monitoring with SNMP

This chapter is about monitoring devices with Simple Network Management Protocol SNMP. It describes how SNMP can be used to retrieve information from remote systems, to monitor systems, and to alert you to problems. While other network management protocols exist, SNMP is currently the most commonly used. While SNMP has other uses, our primary focus will be on monitoring systems to ensure that they are functioning properly and to collect information when they arent. The material in this chapter is expanded upon in Chapter 8 . This chapter begins with a brief review of SNMP. This description is somewhat informal but should serve to convey enough of the basic ideas to get you started if you are unfamiliar with SNMP. If you are already familiar with the basic concepts and vocabulary, you can safely skip over this section. Next I describe NET SNMP—a wonderful tool for learning about SNMP that can be used for many simple tasks. Network monitoring using tkined is next, followed by a few pointers to tools for Microsoft Windows.

7.1 Overview of SNMP

SNMP is a management protocol allowing a management program to communicate, configure, or control remote devices that have embedded SNMP agents. The basic idea behind SNMP is to have a program or agent running on the remote system that you can communicate with over the network. This agent then can monitor systems and collect information. Software on a management station sends messages to the remote agent requesting information or directing it to perform some specific task. While communication is usually initiated by the management station, under certain conditions the agent may send an unsolicited message or trap back to the management station. SNMP provides a framework for network management. While SNMP is not the only management protocol or, arguably, even the best management protocol, SNMP is almost universal. It has a small footprint, can be implemented fairly quickly, is extensible, is well documented, and is an open standard. It resides at the application level of the TCPIP protocol suite. On the other hand, SNMP, particularly Version 1, is not a secure protocol; it is poorly suited for real-time applications, and it can return an overwhelming amount of information. SNMP is an evolving protocol with a confusing collection of abbreviations designating the various versions. Only the major versions are mentioned here. Understanding the major distinctions among versions can be important, because there are a few things you cant do with earlier versions and because of differences in security provided by the different versions. However, the original version, SNMPv1, is still widely used and will be the primary focus of this chapter. Generally, the later versions are backward compatible, so differences in versions shouldnt cause too many operational problems. The second version has several competing variants. SNMPv2 Classic has been superseded by community-based SNMPv2 or SNMPv2c. Two more secure super-sets of SNMPv2c are SNMPv2u and SNMPv2. SNMPv2c is the most common of the second versions and is what is usually meant when you see a reference to SNMPv2. SNMPv2 has not been widely adopted, but its use is growing. SNMP-NG or SNMPv3 attempts to resolve the differences between SNMPv2u and SNMPv2. It is too soon to predict how successful SNMPv3 will be, but it also appears to be growing in popularity.