Comparative Analysis of Active and Passive Mapping Techniques in an Internet-Based Local Area Network

Author

James B. Kuntzelman

Date of Award

3-2004

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Richard A. Raines, PhD

Abstract

Network mapping technologies allow quick and easy discovery of computer systems throughout a network. Active mapping methods, such as using nmap, capitalize on the standard stimulus-response of network systems to probe target systems. In doing so, they create extra traffic on the network, both for the initial probe and for the target system's response. Passive mapping methods work opportunistically, listening for network traffic as it transits the system. As such, passive methods generate minimal network traffic overhead. Active methods are still standard methods for network information gathering; passive techniques are not normally used due to the possibility of missing important information as it passes by the sensor. Configuring the network for passive network mapping also involves more network management. This research explores the implementation of a prototype passive network mapping system, lanmap, designed for use within an Internet Protocol-based local area network. Network traffic is generated by a synthetic traffic generation suite using honeyd and syntraf, a custom Java program to interact with honeyd. lanmap is tested against nmap to compare the two techniques. Experimental results show that lanmap is quite effective, discovering an average of 76.1% of all configured services (server- and client-side) whereas nmap only found 27.6% of all configured services. Conversely, lanmap discovered 19.9% of the server services while nmap discovered 92.7% of the configured server-side services. lanmap discovered 100% of all client-side service consumers while nmap found none. lanmap generated an average of 200 packets of network overhead while nmap generated a minimum of minimum 8,600 packets on average?up to 155,000 packets at its maximum average value. The results show that given the constraints of the test bed, passive network mapping is a viable alternative to action network mapping, unless the mapper is looking for server-side services.

AFIT Designator

AFIT-GCS-ENG-04-09

DTIC Accession Number

ADA424237

Recommended Citation

Kuntzelman, James B., "Comparative Analysis of Active and Passive Mapping Techniques in an Internet-Based Local Area Network" (2004). Theses and Dissertations. 3989.
https://scholar.afit.edu/etd/3989