Detecting Hidden Hosts and Networks on your (shared) LAN

Posted · Add Comment

In theory on switched networks each portion of a LAN is independent. This means that for instance that network and are using different switch ports that communicate through a router,  and also that are not sharing the same physical network. Unfortunately sometimes people violate this principle by putting on the same physical port multiple networks.

The reasons are manyfold:

  • You want to run a VM on your host that can (silently) communicate with other devices and thus you want to use a different network address plan.
  • You use devices that have an embedded switch (e.g. Apple Airport Time Capsule NAS device) to which you connect both your PC (with a publicly accessible IP address) and the backup device that is not supposed to be accessed from the Internet and thus living on a different network.
  • Some of your colleagues are trying to hide some devices and thus are decided to use a network other than the one used on the LAN.
  • You migrated your network to a different addressing scheme but you forgot to update some devices that are still configured with the old network.
  • Somebody attached (without configuring it) a new device just purchased that is then using a different network address.

So in essence there are many reasons ranging from misconfiguration, to malicious users who attach devices to the network hoping not to be discovered. Fortunately moderns devices are rather verbose and advertise their presence for instance through MDNS (Multicast DNS), IPv6 advertisements, and for sure ARP on IPv4 networks.

If you want to discover these devices living on “ghost networks”, you can now do it easily using ntopng in a matter of clicks.

Just go to the interface menu and select your network device and then click on the “Networks” tab. There you will see listed the networks that have been learnt by ntopng using ARP messages. In case they do not overlap with the IP networks configured on your network card (i.e. eth0 in the above image) ntopng will tell you if:

  • There is a misconfiguration (i.e. on your network card you configured but ntopng has learnt, so the network mask was wrong).
  • If there are devices belonging to networks that were not supposed to exist, and thus they are marked with a ghost icon.

If you want to find out what devices belong to such ghost network, you can click on the network label and see something to the image below:

Now the final question: where are those network devices attached so you network admins can go and chase them? Just click on the device IP address and if you have configured your SNMP devices in ntopng you can find out where are those devices physically located and on what network port they are have been connected to the network.

All done using ntopng, without having to use several tools. Easy isn’t it?