0

Basically I need to say Server1, with ipaddress 1.2.3.4 has Application1 on it, and that network traffic uses ports 100, 101, and 103

Since many of these servers were built and setup before I started working here and there is no documentation from previous admins, I was hoping there might be a tool that could show me that information.

Thanks

Update for those asking: Both windows and linux OS's virtual and physical hardware.

MoSiAc
  • 167
  • 2
  • 12
  • 1
    For one we're going to need to know your operating system, however in short the tool you need is netstat the syntax varies from os to os. – Oneiroi Mar 26 '13 at 14:16
  • Lansweeper comes to mind, but yeah OS, along with how many servers would help. 10 servers = pretty simple, 1000 = might require a lot more resources and expensive software – TheCleaner Mar 26 '13 at 14:18
  • 1
    This is more complicated than you think. Some services might be active only for a short period of time (e.g. backup) or only in certain cases (e.g. error recovery/failover or whatever). I would capture the IP address and port number by sniffing the network for a day or a week and work up from here. And even that is a incomplete solution. – BatchyX Mar 26 '13 at 14:19
  • I totally agree but I have to start somewhere. – MoSiAc Mar 26 '13 at 14:25
  • @MoSiAc After reading your comment to my answer, you need to start by having the requester clarify and essentially completely rework their request. A new firewall is not concerned with every service and port used on every server, it is concerned with what services and ports you allow into and out of the network. I'd smack someone on the back of the head for st00pid if I got this request because of a new firewall install. – HopelessN00b Mar 26 '13 at 14:44
  • I should clarify not a border firewall but a datacenter firewall but the more I look at it either way the more I agree with you. – MoSiAc Mar 26 '13 at 15:00
  • If you really have to do it, i would recommend rebuilding your network infrastructure from the ground, documenting everything in the process, especially the ports used by the services/applications. Then, either build up the list and send them, or try to implement some firewall rules in a test network until it works. – BatchyX Mar 26 '13 at 15:11
  • Shouldn't bee very difficult if you document your network proberly, a list of services and what machines the run on or vice versa, list of machines and services per machine. Eitherway, whilst this might seem like a bit off a troll answer, I'm downvoting because if you stepped back and documented things properly, this question wouldn't exist. – jwbensley Mar 26 '13 at 16:09
  • And like I said had I been here before the majority of these servers existed I would have documented it properly but I didn't, and the people before me didn't seem to believe in documentation. – MoSiAc Mar 26 '13 at 16:15
  • @javano Seems unfair for you to downvote him because _the guy before him_ didn't document properly. – Michael Hampton Mar 27 '13 at 03:59
  • @MichaelHampton Irrelevant of what the guy before him did, the question seems unnecessary in my opinion. The OP needs to get his documentation up to date which would then remove the need for this question. – jwbensley Mar 27 '13 at 17:19
  • @javano That's the whole point of the question! – Michael Hampton Mar 27 '13 at 17:20
  • @MichaelHampton What I am seeing with this question is "Something is b0rked (our documentation) - How can I work around this?" and not what I feel it should be "Something is b0rked (our documenation) - How can I fix this?" – jwbensley Mar 27 '13 at 17:21

6 Answers6

2

I think most port scanners would do what you want. A popular one is nmap.

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Mike Sherrill 'Cat Recall'
  • 467
  • 2
  • 19
  • This will only show whatever is not blocked by a firewall/IPS/etc. Also, it will not show what service has the port open - at best it will identify the service by signature. – Chris S Mar 26 '13 at 15:07
2

I'd laugh and say "no," in all probability. As mentioned in the comments, nmap/netstat and port scanning isn't a complete solution, since a lot of these services are only active under certain circumstances or during certain times.

The only reliable way I can think of doing this is by checking the firewall rules on each server to see what ports are opened, and correlating those openings to a service. Of course, even this isn't a complete solution - it relies on the servers all having firewalls turned on and the assumption that an open port is open for an existing service (and not for historical reasons or default configuration or misconfiguration, etc.).

Again, though, I'd probably reject the request - this information doesn't seem particularly useful, so I'm thinking this is probably coming form someone non-technical who really needs/wants different information, but is asking for this in an incorrect or misguided fashion.

EDIT:

In response to the information that this is for a new firewall, you need to get the requester to rework their request. A new firewall is not generally concerned with every service and port used on every server, it is concerned with what services and ports you allow into and out of the network. That's probably what they really want you find out, and is a far easier task than the question as asked.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • I would agree with you but this is supposed to be for their new firewall so I'm not sure why they just aren't doing this themselves since it's networking. I don't mind helping but I don't have all the information that they want either. – MoSiAc Mar 26 '13 at 14:34
  • @MoSiAc Well, see, already it sounds like they're asking for information they don't need or want. Are connections from the SQL server to some front-end app server going to go through the firewall? What about RDP? You probably want to be able to RDP to internal servers, but do they want to allow that through the firewall? Probably not. So they're not even asking for the right thing. You need to get them to clarify their request/requirements, or you're just going to end up wasting a lot of people's time gathering unnecessary (and potentially dangerous) information. – HopelessN00b Mar 26 '13 at 14:40
  • After reading all the comments, I'd be tempted to install the firewall, close *all* the ports, and handle every request for a fix through a trouble ticket. (Of course, you'd want to be careful how you present that solution to the enterprise.) – Mike Sherrill 'Cat Recall' Mar 28 '13 at 14:28
  • @MikeSherrill'Catcall' The problem with suggesting that kind of... "solution" is that there's a chance they'll agree to it, and you become the proud owner of 180 incidents, 34 problems and a dozen "production down" emergencies. – HopelessN00b Mar 28 '13 at 14:32
  • @HopelessN00b: I wouldn't recommend moving a production process to a new server without testing it first. But your point is well-taken; you have to balance the risk of opening a lot of ports that are no longer used against the time and trouble of accurate documentation and testing. (Trouble tickets = documentation. Not my favorite *form* of documentation, but documentation nevertheless.) – Mike Sherrill 'Cat Recall' Mar 28 '13 at 14:36
1

In Windows you can run "netstat -a -n -o" to list all listening ports in numerical form and match those ports to processes.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
1

A combination of nmap from the same network (no firewalls in between) and local checks (as the answer by jeoqwerty or lsof/netstat/others on Unix/Linux), check what services are being started, check what is installed.

Look at the ports open on the local firewalls of the targets, check the configuration of "Internet facing" firewalls, what traffic do they let go through to your targets/leave from them. Any special configuration there is presumably to allow some specific service.

Pull all the above together, ask around if somebody can tell you what is supposed to run on the targets, check with users what they use on the machines.

Once you have a reasonably complete picture, you'll have to start questioning which of the identified services are really needed. Check that the configurations are sane, according to best practices for each. Make sure everything is up to date, antivirused if Windows, the works.

Yep, you've got work cut out for you. Good luck!

vonbrand
  • 1,153
  • 2
  • 8
  • 16
0

Another possibility would be to scan SNMP information and check out the currently active TCP/IP connections via SNMP. Of course, for windows and Linux computers, SNMP is not sufficient and maybe other protocols such as SSH or telnet need to be utilized.

Once you have all that information, you can determine which server is talking to which client/other server.

Of course, a single scan is not enough. You need to do it regularly in order to get a complete picture.

TeeTee
  • 1
  • 1
0

NetFlow was designed to do exactly what you're looking for. If properly set up you can see all of the conversations on your network and discover each service in use. There are a wide variety of products ranging from cheap to enterprise grade, closed and open source. Some of the fancier products will derive dependent services (e.g. the front-end web server depends on the database, DNS, and LDAP servers.) and alert you when there are outages or performance issues.

To use it you'll have to set up one or more collection points on your backbone (either active on your switch, router, and/or firewall or passive via a SPAN port or tap). Each collection point will feed NetFlow data to a collector.

Gerald Combs
  • 6,331
  • 23
  • 35