Network Tools

Training videos at SecurityTube

Wireshark and its command line version Tshark; also consider TCPdump, nGREP, Cloudshark, and LANGuardian.

nmap, with its GUI version Zenmap; also consider Skipfish, Ipscan, and Umit.

Suricata; also consider BroIDS and Snort. The IDS decision should work with your network firewall (such as pfSense) decision and with your SIEM (such as OSSIM or Security Onion) decision.

OpenVAS (the open source of Nessus)

Use nmap to create your network inventory. See “Creating an inventory with nmap network scanning” by Ronald McCarty, Contributor to SearchEnterpriseLinux.com

nmap -O -oG report.txt 192.168.1.0/24

grep “OS:” report.txt | sed ‘s/Host: //’ | sed ‘s/Ports.*OS://’ | sed ‘s/Seq.*$//’ | sed ‘s/(//’ | sed ‘s/)//’ | awk ‘{print “\”” $1 “\”,\””$2″\”,” $3 ” ” $4 ” ” $5 ” ” $6 ” ” $7 ” ” $8 ” ” $9 ” ” $10 ” ” $11 ” ” $12 ” ” $13 ” ” $14 “\””}’ >report.csv

For more on nmap, see “Using nmap for Linux administration and security” at http://searchenterpriselinux.techtarget.com/tip/Using-nmap-for-Linux-administration-and-security

• testmy.net for testing your network speed
• Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It’s based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes.
  Security Onion tutorial: Analyze network traffic using Security Onion
• The Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu 12.04 LTS. It comes with many tools aimed at active defense preinstalled and configured. The purpose of this distribution is to aid defenders by giving them tools to “strike back” at the bad guys.ADHD has tools whose functions range from interfering with the attackers’ reconnaissance to compromising the attackers’ systems. Innocent bystanders will never notice anything out of the ordinary as the active defense mechanisms are triggered by malicious activity such as network scanning or connecting to restricted services.
• OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows.
• Lynis Auditing Tool scans Linux systems and available software to report general system information, installed packages, detect security issues and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems.
• network-tools.com Ping, lookup, trace, whois, DNS records, network lookup
• OpenDNSSEC Open Source software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.
• DNS Stuff Troubleshoot issues with DNS, connectivity, and email.
• DomainTools.com whois, DNS lookup
• Nslookup.exe is a command-line administrative tool for testing and troubleshooting DNS servers.
• NetDot collect, organize and maintain network documentation.
• Keynote is a network performance tool.
• Trisul Network Metering and Forensics is a Linux based application that passively listens to network traffic and tracks a number of traffic metrics across all layers. It correlates these traffic metrics with raw flow data and full packet captures. You can even add in alerts from an IDS to complete the picture.
• Cacti is a complete network graphing solution designed to harness the power of RRDTool‘s data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices.
• Munin a networked resource monitoring graphing tool that analyzes resource trends and problems.
• GLPI information resource manager with an additional administration interface. It maintains a precise inventory of all the technical resources in your network, storing all their characteristics in a database. It also manages and stores the history of the maintenance actions and bound procedures.
• Zenoss Enterprise is a model-driven management product that improves the delivery of IT service to business applications and supporting infrastructure in the dynamic datacenter. It’s one product that unifies the management of physical, virtual and cloud-based infrastructures, no matter where they exist.
• WindowsSCOPE applications include cyber defense, cyber attack detection, digital forensics, and memory forensics, memory behavior analysis for windows applications and reverse engineering activities, along with manual access and automated analysis.
• Observium is “an autodiscovering PHP/MySQL/SNMP-based network monitoring [tool].” It focuses on Linux, UNIX, Cisco, Juniper, Brocade, Foundry, HP, and more. Observium offers detailed graphs and an easy-to-use interface. It can monitor a huge number of processes and systems. The only downside is a lack of auto alerts, but you can set up Observium alongside a tool like Nagios for up/down alerts.
• Nagios isn’t the easiest tool to set up and configure (you have to manually edit configuration files), but it is powerful. The manual configuration actually makes Nagios one of the most flexible network monitors around. Nagios includes a vast number of features. You can even set up email, SMS, and printed paper alerts.
• Ganglia is a “scalable distributed monitoring system” focused on clusters and grids. It gives you a quick and easy-to-read overview of your entire clustered system. This monitor has been ported to many platforms and is used on thousands of clusters around the world. Anyone who employs server clusters should have Ganglia monitoring that system. Ganglia can scale to handle clusters with as many as 2,000 nodes.
• Spiceworks is one of the industry standard free network/system monitoring tools. You have to put up with some ads, but the features and Web-based interface are topnotch. Spiceworks monitors and autodiscovers your systems, alerts you if something is down, and provides excellent topographical tools. Spiceworks also lets you get social with fellow IT pros via the Spiceworks community, which is built right in.
• Zabbix is a network monitoring tool that offers user-defined views, zooming, and mapping on its Web-based console. It also offers agent-less monitoring, collects nearly ANY kind of data you want to monitor, does availability and SLA reporting, and can monitor up to 10,000 devices. Zabbix can enable an audible alert.
• NagiosGraph parses output and performance data from Nagios plug-ins, stores the data in RRD (an open source industry standard) files, and creates graphs and reports from the data.
• Icinga, a fork of Nagios, network management
• Netdisco network management
• Suricata, from the Open Information Security Foundation, is an Open Source intrusion detection and prevention engine (IDS/IPS). Suricata is multi-threaded, has native IPv6 support, capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.
• Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and over 270,000 registered users, Snort has become the de facto standard for IPS. Capable of performing real-time traffic analysis and packet logging on IP networks, Snort can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
• Aanval is a Snort and syslog intrusion detection, correlation and management console.
• AIEngine is a packet inspection engine with capabilities of learning without any human intervention. It helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.
• The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host. Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).
• PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks – from small to very large heterogeneous networks.
  • BYOD – Let people bring their own devices
  • Provide guest access
  • Role-based access control
  • Perform compliance checks
  • Eliminate malware
  • Simplify network management
• Fluke Networks Switch Port Monitor utility provides visibility into network switches to help you solve common LAN problems. Monitoring switch statistics can reveal duplex mismatches, cabling problems, defective NICs and ports, device connectivity issues, and highly utilized ports (which could indicate bandwidth-hungry users or applications). Get switch statistics in two steps: 1) identify the SNMP-enabled switch to monitor, 2) specify the SNMP community string.
  With the Switch Port Monitor utility you can:
  • Verify port names, speeds and status
  • Monitor packet activity, errors and utilization by port
  • Set custom alerts for proactive troubleshooting
  • Document switch statistics
  • Save switch profiles

   

• Rokario’s free Bandwidth Monitor 2 Lite Edition tracks bandwidth use in real time.
• Totusoft’s free LAN Speed Test designed to accurately measure LAN speeds.
• CHScanner is an ARP, IPv4 and IPv6 network scanner with 31 scan methods: it scans for open ports, protocols, NetBIOS information’s and Windows shares, SNMP information, and WMI (WBEM) information. It also has the ability to turn on (using Wake-On-LAN) and shutdown or reboot a remote Windows host. Furthermore it has features like, an automatic (scriptable) working mode, a hunt mode, a passive mode, and the normal scanning mode.
• LizardSystems Network Scanner scans the network using a list of computers or a range of IP addresses and shows all found computer resources. The program will show not only NetBIOS (Samba) resources, but also FTP and web resources and will also check access rights to these resources.
• SoftPerfect Network Scanner is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface and many advanced features. It is intended for both system administrators and general users interested in computer security. The program pings computers, scans for listening TCP/UDP ports and displays which types of resources are shared on the network (including system and hidden).  In addition, it allows you to mount shared folders as network drives, browse them using Windows Explorer, filter the results list and more. SoftPerfect Network Scanner can also check for a user-defined port and report back if one is open. It can also resolve host names and auto-detect your local and external IP range. It supports remote shutdown and Wake-On-LAN.
• Raw Logic Software’s free Netbrute Scanner allows you to scan a single computer or multiple IP addresses for available Windows File & Print Sharing resources. This is probably one of the most dangerous and easily exploitable security holes. It is common for your novice users to have their printers or their entire hard drive shared without being aware of it. This utility will help you to find these resources, so you can secure them with a firewall or by informing your users how to properly configure their shares with tighter security.PortScan allows you to scan a single computer or multiple IP addresses for available Internet services. This will allow you to identify which TCP ports need to be blocked by your firewall, if you wish to secure them. Or it will allow you to identify unused services that are running, so they can be stopped.WebBrute will allow you to scan your web directories that are protected with HTTP authentication, testing the security strength of your users’ passwords. This will allow you to better enforce your password maintenance policies to ensure that your users are not using easily guessed passwords, or passwords that match their username.
• Introducing Network Analysis [pdf]
• Packetstan, a blog about packets, tools and bacon
• List of Network Monitoring Tools, maintained by Stanford Linear Accelerator Center (SLAC)
• EtherApe, a graphical network monitor
• TCPdump network traffic monitor and protocol interpreter (“sniffer”). See also:
  • Chapter 8 Tcpdump: An Open Source Tool for Analyzing Packets of Open Source Network Administration by James M. Kretchmar
  • TCPdump: Qualify traffic and create a traffic collection statement from part 3 of “The router is the firewall: Configuring CBAC,” by Michael J. Martin
• netsh trace (built into Windows 7, Windows Server 2008 or later) can be used to capture packets. See No Wireshark? No TCPDump? No Problem!
• NetDirector is an open source tool that allows system administrators to configure network services and maintain large numbers of Linux, Solaris and BSD servers remotely from a Web browser running on any platform. The tool is most useful to two groups of users: administrators new to Linux who prefer a graphical management interface, and experienced administrators seeking an easier way to manage large groups of servers.
• Network protocol analyzers: Using the New Microsoft Network Monitor (netmon) 3.3 with Network Experts Microsoft offers a free network protocol analyzer (“sniffer”) you may wish to use instead of Wireshark (formerly Ethereal). Do not neglect the console program (TShark) bundled with Wireshark.
• Wireshark [video] and Netmon could be considered the “training wheels” of network monitor (“sniffer”) software; easy to use but not easy to scale. netsniff-ng can be used for protocol analysis and reverse engineering, network debugging, measurement of performance throughput or network statistics creation of incoming packets. Graduate to Argus when you need to analyze large volumes of traffic. Read Argus – Auditing network activity [pdf] by Russ McRee.
• Trisul is a new kind of network monitor that supplements fine grained traffic metering with flows, packets, and alerts. You can carry out any kind of network and security analysis.
• Mptcp Packet Manipulato helps diagnose and test scenarios that use TCP/IP packets. It can be used to send certain types of packet to any target as well as manipulate various fields at runtime, such as Source/Destination IP address and Source/Destination MAC address.
• Netzob is an opensource tool which supports the expert in its operations of reverse engineering, evaluation and simulation of communication protocols. Its main goals are to help security evaluators to:
  • Assess the robustness of proprietary or unknown protocols implementation.
  • Simulate realistic communications to test third-party products (IDS, firewalls, etc.).
  • Create an open source implementation of a proprietary or unknown protocol.
• Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
• NetRouteView (NirSoft) is a GUI version of route.exe, for Windows (NirLauncher is a package of more than 100 portable freeware utilities for Windows, all of them developed for NirSoft Web site during the last few years.)
• nProbe an Extensible NetFlow v5/v9/IPFIX GPL Probe for IPv4/v6
• SolarWinds free tools including WMI Monitor and Netflow Analyzer
• Exchange Monitor Solarwinds: Exchange health monitor
• TFTP Server Solarwinds: Upload & download executable images
• NetFlow Configurator Solarwinds: Automatically & remotely configure NetFlow
• Advanced Subnet Calculator Solarwinds: four powerful subnetting tools
• Wake-On-LAN Solarwinds: Remotely power up network PCs
• SNMP Assistant Light-weight Windows® System Tray utility
• ipcalc takes an IP address and netmask and calculates the resulting broadcast, network, Cisco wildcard mask, and host range. By giving a second netmask, you can design sub- and supernetworks. It is also intended to be a teaching tool and presents the results as easy-to-understand binary values.
• Hackerfantastic Net-Tools Web Interface, online network tools to perform network-related functions like GeoIP, whois, host, dig, blacklists, ping, traceroute and nmap. Performs info gathering, DNS zone transfers, ICMP/UDP tests and minimal port scans. Now available as a Firefox search plugin.
• Free Downloads from SolarWinds
• IP Address Tracker Solarwinds: Scan, track and consolidate IP address information
• IP SLA Monitor Solarwinds: Analyze Performance Between Sites
• VM Monitor Solwarwinds: Monitor a VMware® ESX Server
• Real-time NetFlow Analyzer Solarwinds: Monitor network traffic & bandwidth
• Free Kiwi Syslog Server Solarwainds: Receive & manage syslog messages
• Free Kiwi CatTools Solarwinds: Backup & manage network configurations
• Network Magic Essentials, Cisco Systems’ collection full of useful tools (for home network users who don’t have IT experience). Create a network map displaying the devices on your network, and information (IP address, hardware configuration, and software configuration) about each device,  troubleshoot broken network connections and perform other maintenance tasks.
• Spiceworks network monitoring for small and medium business, provides details about devices on your network (free space, total disk space, server connection errors, software inventory). Spiceworks includes a Help Desk ticket system for IT staff.
• PacketTrap remote monitoring for Managed Service Providers (MSPs) Other candidates: n-able.com, Kaseya.com, GFI.com, Logmein.com
• Vyatta is the only complete routing and security solution that offers integrated Layer 3 services for tools like Xen, VMware and Hyper-V. Vyatta takes the concept of virtualization beyond just applications and operating systems and allows you to virtualize the network. With Vyatta, businesses turning to virtualization can now further consolidate their infrastructure and increase security by performing advanced routing and security functions in a virtual and cloud environment.
• PacketShaper from Blue Coat network traffic monitoring
• Cisco Self-Assessments and Study Guides
• Cisco Learning Labs
• Juniper Junospere
• Firewall.cx
• IOS from Cisco network traffic monitoring
• Hardening Cisco IOS Devices presentation
• Free CCNA Lab Educational help for Cisco certifications
• Free Cisco Lab Educational help for Cisco certifications
• Cisco IOS Simulators, such as:
  • Cisco CCNA Network Simulator (CCNA Self-Study, 640-801)
  • Cisco 7200 Simulator
  • Dynagen
  • Dynagui
  • Cisco Packet Tracer (login required)
  • http://routersimulator.certexams.com/
  • http://www.routersim.com/
  • Sem-Sim CCNA Test Router Simulator 2.2.1
  • Router Simulator 1.1
  • http://www.semsim.com/
  • http://www.simulationexams.com/
  • GNS 3.0, a GUI based on dynamips, dynagen and Pemu (Pix emulator). An example of this can be found here: http://www.youtube.com/watch?v=RtqGaJ_B1Ik
• Untangle, an open source gateway / firewall / network filter
• CCNA/CCNP training at The Bryant Advantage (ccie12933’s Channel) on YouTube
• Gartner Magic Quadrant for WAN Optimization Controllers, 2009
• Aberdeen Group Application Delivery Over the WAN: Acceleration Alone is Not Enough [pdf]
• Top 15 Security/Hacking Tools & Utilities

See also: Wireless for wireless network tools