[unisog] unisog Digest, Vol 25, Issue 12

johanson@caltech.edu johanson at caltech.edu
Wed Apr 12 21:54:00 GMT 2006


For Cisco equipment there's a tech note on mapping a mac address to a 
port:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml

The examples use snmpwalk but the process should get you headed where you 
want to go.


Ernie Johanson
Information Security
California Institute of Technology

On Wed, 12 Apr 2006, unisog-request at lists.sans.org wrote:

> Date: Wed, 12 Apr 2006 20:30:09 +0000
> From: unisog-request at lists.sans.org
> Reply-To: unisog at lists.sans.org
> To: unisog at lists.sans.org
> Subject: unisog Digest, Vol 25, Issue 12
> 
> I can't really help with the Java/C coding, but I developed installations
> along these lines in Perl on a Solaris system (using shell calls to
> the CMU SNMP suite of utilities; I actually found that faster than using
> an SNMP Perl module). You're welcome to have a look at my code if you
> wish; please e-mail me offline if you'd like a copy.
>
> Getting the MAC<->switchport mappings is significantly more difficult than
> getting the ARP tables, for a variety of reasons:
>
>  - different manufacturers, and even different switches from the same
>    manufacturer, will have the information stored in different places
>    in the MIB, and slightly differently-formatted SNMP queries to
>    get the information out;
>
>  - you probably want to have some method of sorting out (either on the
>    back end or the front end) whether a particular MAC address appearing
>    on a particular switch port means (a) the end node is using that
>    port as its edge uplink, or (b) the port in question feeds a further
>    switch or network of switches.
>
>  - Cisco routers cache ARP information for (I think) 4 hours by default,
>    while Cisco switches tend to cache switch table information for (again,
>    I think) 30 minutes, so you'd need to poll more frequently; I've
>    seen Extreme switches, for example, that only cached switch table
>    information for 5 minutes.
>
>  - your network is bound to have many more switches than routers, so
>    your polling and processing has to be fast to get through all of them
>    in the 30-minute window.
>
> Having said all that, it's a solvable problem. As noted, please let me
> know via private e-mail if you'd like to see my code.
>
> --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
>
> On Tue, 11 Apr 2006, stefano wrote:
>
>> Hi, sorry for my bad english, i know this and i'm working for make it
>> better.. but here come the question: I've known this mailing list reading the
>> previous thread talking about this argument (Getting ARP tables from Cisco
>> switches via snmp -- slightly OT ) after a search on google..
>>
>> I've to develop an* identical* application (that insert in a DB the *MAC*,
>> the* IP* and if is possible the Switch port number..) but i've a condiction,
>> i've to develop this using a java server, not one linux commands or
>> application  (not , but max portability, because some servers are Windows and
>> some are Unix, therefore*_ i can't use smnpwalk or arptrace!!_* ) i must to
>> realize this operation whit *JavaAPIs* or whit portable a source code as a *C
>> code.*
>>
>> I've downloaded the *Adventnet java SNMP API* package, and i can get a
>> variable from the MIB for example the OID /1.3.6.1.2.1.1.1.0/ return to me
>> the string value /"Cisco Internetwork Operating System Software \r\nIOS (tm)
>> RSP Software (RSP-JSV-M), Version 12.0(9), RELEASE SOFTWARE
>> (fc1)\r\nCopyright (c) 1986-2000 by cisco Systems, Inc.\r\nCompiled Mon
>> 24-Jan-00 23:15 by bettyl"/ then i can deduce that the APIs work fine. But if
>> i try to get a table, i recive a null pointer, and i don't know how i can do
>> this operation correctly.
>>
>> *anyone can help me?*
>>
>> here there is the bad test code working only with a single MIB variable:
>>
>> /public static void openSNMPSession() throws Exception
>>   {
>>       System.out.println("ci2ao");
>>       SnmpAPI api = new SnmpAPI();
>>       SnmpSession session = new SnmpSession(api);
>>       session.open();
>>       SnmpPDU pdu = new SnmpPDU();
>>       pdu.setRemoteHost("141.108.5.4");
>>       pdu.setCommand(SnmpAPI.GET_REQ_MSG);
>>       pdu.addNull(new SnmpOID(".1.3.6.1.2.1.4.22")); //doesn't work
>>       //pdu.addNull(newSnmpOID("//.1.3.6.1.2.1.1.1.0/ /")); work
>>       SnmpPDU response_pdu = session.syncSend(pdu);
>>       if(response_pdu == null)
>>       {
>>           System.out.println("The Request has timed out.");
>>       }
>>       else
>>       {
>>                     System.out.println(response_pdu.printVarBinds());
>>           System.out.println("Errors: "+response_pdu.getError());
>>           System.out.println("Account: "+response_pdu.getCommunity()+"\n Ver
>> "+response_pdu.getVariable(10));
>>                 }
>>   }/
>>
> [ PGP Signature check FAILED - Wed Apr 12 14:44:38 PDT 2006 ]
>


More information about the unisog mailing list