How to map a network passively with wireshark dumps?

Question

I'm currently diving into network mapping and thought that in order to do this stealthily why not listen to the existing network traffic; a wireshark dump usually contains a metric ton of information - you have at least info on hosts which are up and some ports where communication is obviously taking place. I would like to extract this information from a wireshark dump and get the info in some tool like zenmap or the Metasploit database (hosts/services)

I googled this with "passive network mapping" and "passive network discovery" together with "wireshark" and "zenmap" but didn't find anything. Is this not a thing or am I searching wrong?

If there's nothing I would start with a Python or Ruby script doing this, but I really thought there might be something existing already.

Thanks

Answer 1

Some background information for context : Some organizations save full-packet captures for their high-security or production networks. There are commercial products which do this too. People definitely do what you are talking about but not always for the reason you mention although that's a good side benefit. Ideally what you want is an optical tap at key (ingress/egress) control points on your network. Then setup tshark (text-based wireshark has slightly better performance) to automatically grab the relevant data you want and save .PCAP info for you to parse. This is frequently done to find APT and malware communications but it has a large number of other uses.

That said, I think one of the reasons people don't do this as a primary means of network discovery is simply because some devices may rarely, or never, communicate via the ingress/egress point so it won't always result in 100% accurate information. What you are talking about is somewhat similar to "Passive Vulnerability Scanning" so you may find other very valuable uses for the data you collect in this process and it would be very effective at mapping all the communications leaving an organization but it does have a few limitations.

In a nutshell I think people don't call it "passive network mapping" and "passive network discovery" (both are great names for what you mentioned) because once you get that data you'd realize you can do so much more with it that you're more likely going to refer to it in the larger sense of what it is which comes back to "Full packet capture". I know these aren't exactly the same, you are talking about just collecting some of that data and using it for mapping but I think that is why its rarely called by the terms you mentioned (answer to your question).

Note: NetFlow data would also be another source to passively collect the data needed for mapping and there are a lot of other ways to do this (switch cam tables also work depending on the network). However on very large networks full-packet capture becomes challenging quickly whereas NetFlow data is a little more compact.

Answer 2

If you are looking to map out your immediate LAN, a simple ARP sniffer (probably written in Python with the scapy library), would work just fine. But, if you're looking to find the entire network topology, there is a way to do it, but the circumstances are a bit specific.

If the network utilizes Cisco routers, and those routers route dynamically using OSPF, then you could introduce a rogue router to the network. This router would establish itself as a neighbor to the target router, and would exchange LSPs with it until it has built it's own topology (See here). Once the router has done its dirty work, you just have to take a look at the routing table to see your basic logical topology. This method does have its share of active techniques, so the purely passive way would be to sniff for all OSPF packets and build a topology model based on the information sniffed.

This solution does have rather specific requirements, but the exploited technologies are fairly common, so it should be viable in many places.