Intrinium Network Map Builder
The Network Map Builder takes one or more XML Nmap scan results and creates a network map in Microsoft Visio 2010 for easier understanding of the network layout.
In order to efficiently produce the network map several optional flags in Nmap are necessary, the bare minimum requirement is to output the results into XML format with enhanced mapping results possible by including route tracing and device/OS type detection. The standard command used to create a simple network map at Intrinium is as follows:
nmap -sSUV –top-ports=15 -T4 -v -O –version-light –traceroute –script=ms-sql-info,nbstat,smb-os-discovery,snmp-sysdescr –script-args snmpcommunity=<client snmp community string> -oX <xml output file> <subnets to scan>
- -sSUV – Activates scripts and detection capabilities.
- –top-ports – This limits the scan to use the 15 most common ports in identifying systems for speed. No matter the number of ports scanned all port information will be attached to the object properties, so it is perfectly fine to scan all ports.
- -T4 – Shortens the allowed response times as these are internal networks and should have very little delay in responses.
- -v – An NMap scan can take a long period of time and the verbose switch will force NMap to output more information to the screen so you know it is still working. The excess verbose information in the output file will be ignored during mapping.
- -O – The capital O flag enables operating system detection. This is used to determine the device type and use an appropriate icon in Visio. The network mapper will warn you if no OS detection is found in the results.
- –version-light – Limits OS detection to the most common and non-invasive OS tests for speed and safety.
- –traceroute – This forces NMap to run a traceroute to each device so hops and distances will be available on the network map. The network mapper will warn you if no trace information is available in the results, as a failure to trace will just attach all items to a single central fake switch.
- –script – The most important script in the scripting block is ‘smb-os-discovery’ which is used to differentiate between server types.
- -oX – The oX flag forces NMap to create an XML output file in the specified location, this is required to use the network mapper as the normal text output is not easily parsable.
There are several options within the Visio portion of the network mapper which are used to choose which objects to import, aggregate objects, fix minor errors, and alter the output.
- Import Objects – The first group of checkboxes determine which objects are imported from the Nmap(s).
- Server – Include devices classified as servers by OS detection
- Workstations – Include workstations as classified by OS detection
- Misc. Networking – This includes devices which are classified as networking devices, but do not seem to route anywhere, firewalls, etc.
- Unknowns – Are most other unlisted device types like PBX, SANs, etc.
- Printers – Included devices identified as printers.
- Aggregation– There are a limited number of objects which can be in a single workspace in Visio (about 3500) and aggregation is used to lower the number of objects shown while still presenting the overall map. This is done my making any duplicate device types into a single device that counts the number of devices, like “2 routers” or “84 windows workstation”.
- Aggregate Devices – Turns aggregation on or off. If the worksheet device limit is reached the mapper will warn you and let you continue or cancel. Continuing may lock up Visio.
- Not Servers – Servers are not aggregated and show as single devices
- Not Networking – Networking devices are not aggregated and show as single devices. Note that networking devices which connect other devices are always shown regardless so the network map builds correctly.
- Fix Reset Ghosts – Some networking setups involve switches and gateways which will reset unroutable traffic instead of dropping it. This will lead NMap to thinking the device exists and make a ghost switch which will show up on network map. Checking this fix will remove these devices from the map.
- Output – If an output is selected prior to import it will automatically be applied to the import, otherwise an output can be selected afterwards and the ‘Reformat Now’ button will apply the output style to the current documents devices.
- Unformatted – No changes will be made to the output format. An unformatted import will place all items in a block with network routing devices starting on the top left.
- Spiral – A spiral layout will use a tightening spiral to ensure highly connected devices do not take too much space. The connector style is not altered from the Visio default so you may want to change to straight line styles for improved looks.
- Radial – A radial layout is like the Visio in-built radial layout, but will prevent rings from being located within other, larger rings. The connector style is not altered from the Visio default so you may want to change to straight line styles for improved looks.
- Direction – If spiral or radial output is selected then you will need to choose a layout direction. This determines how the groups of objects are arranged in the overall network map.
- Tight – In tight mode, the mapper will attempt to cluster everything around the most connected device in the scan. This uses the least amount of space for layout.
- South – The most connected device will be at the top of the diagram and a tree will be created below the device. In general it looks somewhat like an organizational chart.
- East – The same as south, but rotated counter-clockwise by 90 degrees so the connected device is on the left and everything builds to the right.
Pressing the ‘Import Nmap Results’ button will let you select one or more xml files to import and map. If the multiple files have overlapping information you will be prompted to merge or to ignore extra entries. This is useful when scans failed or an important option, like –traceroute, was forgotten in a scan.
During the mapping phase Visio will appear to be frozen and may remain in this state for up to twenty minutes depending on your systems capabilities and amount of data to process. Occasionally you may see a few devices appear on the screen, but it will not be a consistent indicator of progress
When finished a message box will pop up with basic information on the diagram and time taken during processing. At this point you can have the mapper resize the workspace to fit the objects or wait and do it later. Unfortunately, the resize process cannot be automatic as a part of mapping since Visio does not recognize the devices until they have all been repainted on the screen and user input is available (Which the message box does).
Network Map Output Examples
Radial Output, South Direction.
Spiral Output, Tight Direction.
Small subgroup showing device properties on cisco switch, a hidden switch found by decremented TTL, and the system used as the source scanner.
This application is covered under the GPLv3 and you may download the source code and/or installer by clicking on the appropriate links below. Please note that This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY OR SUPPORT; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- ImportNetworkMap – Zip file containing Visual Studio 2010 source code