LinuxQuestions.org - Techniques for finding rogue switches without cool hardware/software?

- General (https://www.linuxquestions.org/questions/general-10/)

- - Techniques for finding rogue switches without cool hardware/software? (https://www.linuxquestions.org/questions/general-10/techniques-for-finding-rogue-switches-without-cool-hardware-software-4175611695/)

Techniques for finding rogue switches without cool hardware/software?

So... sometimes I have to check out our switch topology. We have many sites and sometimes our docs aren't up to date or someone overwrote my updates and 8 months later I'm looking at them and I know there's other switches. What I need to know is what ports are they on. We don't always have the luxury of stacked switches and we don't configure a LACP group for everything. Sometimes we just run one cable to a new switch. Plus, there may be rogure switches out there.

We have an Avaya network and all I can figure to do is run show mac-address-table and look for ports that have a ton of addresses on them. There has to be a better way. Show lldp neighbors doesn't work b/c we have nortel phones that all are little 2 port switches (one port for the PC, the other connects up to the other switches and tags phone traffic).

Is there a better way to do this? It's easy, for instance, to miss a rogue switch that has a PC and a printer on it.

There may be other methods, but the first one that springs to mind is masscan
So fast!
"Scan the whole internet in 3 minutes"

Here's a working config

Code:

### 2017-06-21

### targets

range = 200.139.112.0/20

rate =  100000.00

output-format = list

output-status = all

output-filename = static.gvt.net.br.xml

ports = 20-25,80,443,U:53,445,631,3306,3389,49152-49155,10000,10051,10050

noshow = closed



### adapter

adapter-ip = 0.0.0.0

adapter-mac = 00:00:00:00:00:00

router-mac = 00:00:00:00:00:00

sudo masscan -c /etc/masscan/gvt.net.br -oL static.gvt.net.br-$(date +"%F")-scan.xml

### other

exclude-file = /etc/masscan/excludes.txt

NOTE: This file should exist, so

Code:

touch /path/to/excludes.txt

It can be empty.
and the c-line I use to run it.

Code:

sudo masscan -c /path/to/config

with these results:

Code:

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2017-08-10 20:22:58 GMT

 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth

Initiating SYN Stealth Scan

Scanning 4096 hosts [19 ports/host]

cat the static.gvt.net.br.xml file shows:

Code:

#masscan

open tcp 80 200.139.125.5 1502396578

open tcp 443 200.139.127.10 1502396579

open tcp 80 200.139.114.238 1502396579

open tcp 443 200.139.127.82 1502396579

open tcp 80 200.139.127.90 1502396579

open tcp 3389 200.139.114.202 1502396579

open tcp 80 200.139.127.85 1502396580

open tcp 49152 200.139.120.146 1502396580

# end

Should be rather enlightening, I'd think. :)

Only "range" needs to be edited.