search

nsacyber / GRASSMARLIN

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Other
938 stars 291 forks source link

Import PCAPS NO Topology #10

Open w0lverine opened 7 years ago

w0lverine commented 7 years ago

I have successfully imported my pcaps but the topology maps are not populating. Any help will be greatly appreciated. I feel like I am missing a step but it is not clearly stated in the documentation.

iadgovuser5 commented 7 years ago

When you read in pcaps, the Logical View is the only view that should populate. In order to populate the Physical View, you must read in results of the Cisco commands that are listed in the documentation.

If you are reading in pcaps and not getting the Logical View, what OS are you running GM on? If Windows, are there any error messages in the Console Window? If Linux, are there any error messages in the log?

w0lverine commented 7 years ago

Okay, I tried to use a pcapng file and it worked, and a few other different pcaps and it worked. Even though GM can not read the "bad pcap files" wireshark can (So I don't think it is anything on your side). As for generating your Physical View, are you saying I need to generate a cisco config file with the following commands?: SHOW VERSION SHOW RUNNING CONFIG SHOW INTERFACES SHOW MAC

To populate my Physical Graph even though I am not using config files?

iadgovuser5 commented 7 years ago

In order to populate the physical view, you must take the results of the "Show" commands and put them in a flat text file per device to be ingested. The commands are as follows:

show running config show interfaces show ip arp OR show mac address table (depends on router or switch)

In this version, we only support Cisco devices by default. The file that needs to be created is nothing more than the results of the 3 commands listed above executed on each Cisco device and the results of those commands copied into a text file. This file can then be ingested and the Physical View is populated.

w0lverine commented 7 years ago

Okay. So to make sure I understand, you can only create a physical view with Cisco devices currently?

iadgovuser5 commented 7 years ago

That depends. GM only natively supports Cisco formatted Show commands so while Cisco devices are supported, you can manually input the information from any other network device into the Cisco format and GM will parse and render your map. We also give the user the ability to write their own input parser via plug-in. There is also an opensource project on GitHub named Ciscoconfparse, i've never used it but have heard from some users that it worked for them, which can parse brace-delimited configurations into a Cisco IOS style.

w0lverine commented 7 years ago

Okay. Thank you for the information!