[unisog] getting the Arp Table from a router whit Java API or C application

Jenkinson, John P (SAIC) John.Jenkinson at bp.com
Wed Apr 12 19:08:12 GMT 2006


another possibility is to use expect scripts to gather the information
you seek.
no snmp needed, just an ability to get to the network gear's command
line. ssh as an example.
you're probably familiar with the commands to gather the info you need
and are also familiar with the
command's output.
another benefit is more informaiton is usually available from the
commands than the snmp mibs. 

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of PaulFM
Sent: Wednesday, April 12, 2006 8:41 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] getting the Arp Table from a router whit Java API
or C application

Check out neo, and see if it does what you need:

http://www.ktools.org/neo/


Glenn Forbes Fleming Larratt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I can't really help with the Java/C coding, but I developed
installations 
> along these lines in Perl on a Solaris system (using shell calls to
> the CMU SNMP suite of utilities; I actually found that faster than
using
> an SNMP Perl module). You're welcome to have a look at my code if you 
> wish; please e-mail me offline if you'd like a copy.
> 
> Getting the MAC<->switchport mappings is significantly more difficult
than
> getting the ARP tables, for a variety of reasons:
> 
>   - different manufacturers, and even different switches from the same
>     manufacturer, will have the information stored in different places
>     in the MIB, and slightly differently-formatted SNMP queries to
>     get the information out;
> 
>   - you probably want to have some method of sorting out (either on
the
>     back end or the front end) whether a particular MAC address
appearing
>     on a particular switch port means (a) the end node is using that
>     port as its edge uplink, or (b) the port in question feeds a
further
>     switch or network of switches.
> 
>   - Cisco routers cache ARP information for (I think) 4 hours by
default,
>     while Cisco switches tend to cache switch table information for
(again,
>     I think) 30 minutes, so you'd need to poll more frequently; I've
>     seen Extreme switches, for example, that only cached switch table
>     information for 5 minutes.
> 
>   - your network is bound to have many more switches than routers, so
>     your polling and processing has to be fast to get through all of
them
>     in the 30-minute window.
> 
> Having said all that, it's a solvable problem. As noted, please let me

> know via private e-mail if you'd like to see my code.
> 
> - --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> 
> On Tue, 11 Apr 2006, stefano wrote:
> 
> 
>>Hi, sorry for my bad english, i know this and i'm working for make it 
>>better.. but here come the question: I've known this mailing list
reading the 
>>previous thread talking about this argument (Getting ARP tables from
Cisco 
>>switches via snmp -- slightly OT ) after a search on google..
>>
>>I've to develop an* identical* application (that insert in a DB the
*MAC*, 
>>the* IP* and if is possible the Switch port number..) but i've a
condiction, 
>>i've to develop this using a java server, not one linux commands or 
>>application  (not , but max portability, because some servers are
Windows and 
>>some are Unix, therefore*_ i can't use smnpwalk or arptrace!!_* ) i
must to 
>>realize this operation whit *JavaAPIs* or whit portable a source code
as a *C 
>>code.*
>>
>>I've downloaded the *Adventnet java SNMP API* package, and i can get a

>>variable from the MIB for example the OID /1.3.6.1.2.1.1.1.0/ return
to me 
>>the string value /"Cisco Internetwork Operating System Software
\r\nIOS (tm) 
>>RSP Software (RSP-JSV-M), Version 12.0(9), RELEASE SOFTWARE 
>>(fc1)\r\nCopyright (c) 1986-2000 by cisco Systems, Inc.\r\nCompiled
Mon 
>>24-Jan-00 23:15 by bettyl"/ then i can deduce that the APIs work fine.
But if 
>>i try to get a table, i recive a null pointer, and i don't know how i
can do 
>>this operation correctly.
>>
>>*anyone can help me?*
>>
>>here there is the bad test code working only with a single MIB
variable:
>>
>>/public static void openSNMPSession() throws Exception
>>  {
>>      System.out.println("ci2ao");
>>      SnmpAPI api = new SnmpAPI();
>>      SnmpSession session = new SnmpSession(api);
>>      session.open();
>>      SnmpPDU pdu = new SnmpPDU();
>>      pdu.setRemoteHost("141.108.5.4");
>>      pdu.setCommand(SnmpAPI.GET_REQ_MSG);
>>      pdu.addNull(new SnmpOID(".1.3.6.1.2.1.4.22")); //doesn't work
>>      //pdu.addNull(newSnmpOID("//.1.3.6.1.2.1.1.1.0/ /")); work
>>      SnmpPDU response_pdu = session.syncSend(pdu);
>>      if(response_pdu == null)
>>      {
>>          System.out.println("The Request has timed out.");
>>      }
>>      else
>>      {
>>                    System.out.println(response_pdu.printVarBinds());
>>          System.out.println("Errors: "+response_pdu.getError());
>>          System.out.println("Account:
"+response_pdu.getCommunity()+"\n Ver 
>>"+response_pdu.getVariable(10));
>>                }
>>  }/
>>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
> 
> iD8DBQFEPPb/Lyw7nZwiKgQRAkkoAKC8x/Xov3dmfScrKWvUt4hqoJ+2oACfa5ci
> c2KWG069xD6tGc2vQ7D0iG0=
> =arpo
> -----END PGP SIGNATURE-----
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list