Comparative Analysis of Active and Passive Mapping Techniques in an Internet-Based Local Area Network

摘要

Network mapping technologies allow quick and easy discovery of computer systems throughout a network. Active mapping methods, such as using nmap, capitalize on the standard stimulus-response of network systems to probe target systems. In doing so, they create extra traffic on the network, both for the initial probe and for the target system's response. Passive mapping methods work opportunistically, listening for network traffic as it transits the system. As such, passive methods generate minimal network traffic overhead. Active methods are still standard methods for network information gathering; passive techniques are not normally used due to the possibility of missing important information as it passes by the sensor. Configuring the network for passive network mapping also involves more network management. This research explores the implementation of a prototype passive network mapping system, lanmap, designed for use within an Internet Protocol-based local area network. Network traffic is generated by a synthetic traffic generation suite using honeyd and syntraf, a custom Java program to interact with honeyd. lanmap is tested against nmap to compare the two techniques. Experimental results show that lanmap is quite effective, discovering an average of 76.1% of all configured services (server- and client-side) whereas nmap only found 27.6% of all configured services. Conversely, lanmap discovered 19.9% of the server services while nmap discovered 92.7% of the configured server-side services. lanmap discovered 100% of all client-side service consumers while nmap found none. lanmap generated an average of 200 packets of network overhead while nmap generated a minimum of minimum 8,600 packets on average up to 155,000 packets at its maximum average value. The results show that given the constraints of the test bed, passive network mapping is a viable alternative to action network mapping, unless the mapper is looking for server-side services.