Systems and methods for determining the network topology of a network
First Claim
1. A method for passively and automatically identifying a router on a network, comprising:
- reading a first packet transmitted on the network;
decoding the first packet into a first plurality of protocol fields;
identifying a first one of address resolution protocol and dynamic host configuration protocol from the first plurality of protocol fields;
identifying a first Internet protocol address and a first primary media access control address from the first one of address resolution protocol and dynamic host configuration protocol;
reading a second packet transmitted on the network;
decoding the second packet into a second plurality of protocol fields;
identifying a second one of address resolution protocol and dynamic host configuration protocol from the second plurality of protocol fields;
identifying a second Internet protocol address and a second primary media access control address from the second one of address resolution protocol and dynamic host configuration protocol;
reading a third packet transmitted on the network;
decoding the third packet into a third plurality of protocol fields;
identifying an Internet protocol address and a media access control address from the third plurality of protocol fields; and
if the Internet protocol address comprises the second Internet protocol address and the media access control address comprises the first primary media access control address, then identifying an initiator of the first packet as the router.
3 Assignments
0 Petitions
Accused Products
Abstract
A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.
-
Citations
22 Claims
-
1. A method for passively and automatically identifying a router on a network, comprising:
-
reading a first packet transmitted on the network; decoding the first packet into a first plurality of protocol fields; identifying a first one of address resolution protocol and dynamic host configuration protocol from the first plurality of protocol fields; identifying a first Internet protocol address and a first primary media access control address from the first one of address resolution protocol and dynamic host configuration protocol; reading a second packet transmitted on the network; decoding the second packet into a second plurality of protocol fields; identifying a second one of address resolution protocol and dynamic host configuration protocol from the second plurality of protocol fields; identifying a second Internet protocol address and a second primary media access control address from the second one of address resolution protocol and dynamic host configuration protocol; reading a third packet transmitted on the network; decoding the third packet into a third plurality of protocol fields; identifying an Internet protocol address and a media access control address from the third plurality of protocol fields; and if the Internet protocol address comprises the second Internet protocol address and the media access control address comprises the first primary media access control address, then identifying an initiator of the first packet as the router. - View Dependent Claims (2, 3, 4)
-
-
5. A method for passively and automatically identifying a router on a network, comprising:
-
reading a first packet transmitted on the network; decoding the first packet into a first plurality of protocol fields; identifying a first one of address resolution protocol and dynamic host configuration protocol from the first plurality of protocol fields; identifying a first Internet protocol address and a first primary media access control address from the first one of address resolution protocol and dynamic host configuration protocol; reading a second packet transmitted on the network; decoding the second packet into a second plurality of protocol fields; identifying an Internet protocol address and a media access control address from the second plurality of protocol fields, wherein the Internet protocol address does not comprise the first Internet protocol address and the media access control address comprises the first primary media access control address; determining a number of hops traveled by the second packet from the second plurality of protocol fields; and if the number of hops is not equal to zero, identifying an initiator of the first packet as the router. - View Dependent Claims (6, 7, 8)
-
-
9. A method for passively and automatically identifying a subnet on a network, comprising:
-
reading a first packet transmitted on the network; decoding the first packet into a first plurality of protocol fields; identifying a first one of address resolution protocol and dynamic host configuration protocol from the first plurality of protocol fields; identifying a first Internet protocol address and a first primary media access control address from the first one of address resolution protocol and dynamic host configuration protocol; reading a second packet transmitted on the network; decoding the second packet into a second plurality of protocol fields; identifying a second one of address resolution protocol and dynamic host configuration protocol from the second plurality of protocol fields; identifying a second Internet protocol address and a second primary media access control address from the second one of address resolution protocol and dynamic host configuration protocol; reading a third packet transmitted on the network; decoding the third packet into a third plurality of protocol fields; identifying a source Internet protocol address, a source media access control address, a destination Internet protocol address, and a destination media access control address from the third plurality of protocol fields; and if the source Internet protocol address comprises the first Internet protocol address, the source media access control address comprises the first primary media access control address, the destination Internet protocol address comprises the second Internet protocol address, and the destination media access control address comprises the second primary media access control address, then identifying a network encompassing an initiator of the first packet and an initiator of the second packet as the subnet. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for passively and automatically determining a distance between a first subnet and a second subnet on a network, comprising:
-
identifying a network device with a network device Internet protocol address, a network device primary media access control address, and a network device time-to-live value on the first subnet; identifying a router with a router Internet protocol address and a router primary media access control address on the second subnet; reading a packet transmitted on the network; decoding the packet into a plurality of protocol fields; identifying a source Internet protocol address, a source media access control address, a destination Internet protocol address, and a packet time-to-live value from the plurality of protocol fields; and if the source Internet protocol address comprises the network device Internet protocol address, the source media access control address comprises the router primary media access control address, and the destination Internet protocol address is within an address space of the second subnet, then determining the distance as the difference between the network device time-to-live value and the packet time-to-live value. - View Dependent Claims (19)
-
-
20. A method for passively and automatically creating an inferred subnet on a network, comprising:
-
identifying a router with a router Internet protocol address and a router primary media access control address on a known subnet; reading a packet transmitted on the network; decoding the packet into a plurality of protocol fields; identifying a source Internet protocol address, a source media access control address, and a destination Internet protocol address from the plurality of protocol fields; and if the address space of the known subnet does not encompass the source Internet protocol address, the source media access control address comprises the router primary media access control address, and the destination Internet protocol address is within an address space of the known subnet, then creating the inferred subnet and adding the source Internet protocol address to the inferred subnet. - View Dependent Claims (21, 22)
-
Specification