I spent the past week learning about passive service discovery (PSD), and how it compares against active service discovery.
PSD works on the principle of non-disruptive traffic analysis. In simpler words, it does not interfere in any way whatsoever with the traffic in the network and it is invisible to all the other hosts in the network. Identification of the services is done by observing and analysing the traffic in the network.
PSD requires support from the Network sys-admin. To monitor traffic, we make use of a feature available on switches/routers: Port mirroring. Port mirroring involves sending copies of packets out another interface to a host that can monitor and analyse these packets.
<Insert CISCO 2960 switch picture>
I setup a switch in the Cisco lab at PES Institute of Technology (CISCO-2960) which had support for port mirroring. I spent some time understanding how that particular switch worked, and I thoroughly enjoyed it. I learnt how to access a switch in the console mode via minicom, also realising that I could fix my home router in the same way which I had bricked a few months ago. I hooked up three machines in the lab to the switch (C1, C2, C3). C1 was connected to port 1, C2 to port 3, and C3 to port 21. C1, and C3 were the hosts being monitored and C2 was the destination host (port mirroring was setup). I verified the topology and that port mirroring was indeed working by running wireshark on C2 and setting up communication between C1, and C2. I ran a Nginx web server, php5 server and Mysql server on C1 and accessed it from C3. C2 was collecting all the traffic data in the network, and after some time I saved a pcap file which will act as seed data to run service identification.
Leave a Reply