rflynn/lanmap2

# ex: set ff=dos ts=2 et:

Author: Ryan Flynn <[email protected]>

Bugs: https://github.com/rflynn/lanmap2/issues

About
-----

lanmap2 is a passive network monitoring/analysis framework; no SNMP required.

it promiscuously listens to all passing data and sifts out potentially
interesting factoids (addresses, names, fingerprints, unusual situations, etc.)
into an sqlite database.

scripts are provided to query the database and generate image graphs of
network entities, overall connectivity, traffic and notable applications,
operating systems and roles that systems play.

     network
     stream
     /~/
    /~/      "cap"         sqlite
   /~/~~~~~~~~/~/  hints   _______
             /~/--------->(_______) graph.sh   __map___
 /~/~~~~~~~~/~/           |       |---------->|        |
/~/                       |_______|           | X--X   |
                                              |  `---X |
                                              |________|

it is meant to be an extensible framework; anyone who spends time looking 
at network traffic and knows a little SQL should be able to contribute
analysis-type 'mappings' (see data/*.sql)

lanmap2's components are decoupled from each other and are fairly
straight-forward and flexible; you can report things to the database without
having to use them and you can work on analysis-type tasks or scripts while
network capture is running.

the current graphing scripts use php to query the database and generate input
to graphviz; these can be modified fairly easily.

Installation
------------

Everything is pretty much manual at this point, oh well.

Dependencies:
	sqlite3 and libsqlite3 (sqlite2 not acceptable!)
	libpcap
	gcc
	php (to interface with db and generate graphviz input; plan on replacing with lua)
	graphviz (for graph generating)

  Ubuntu Linux:
  Debian Linux:
    sudo apt-get install libpcap-dev libsqlite3-dev gcc graphviz php5-cli php5-sqlite sqlite3

1. Run make

  make

  
  This will build and populate the database file 'db/db'
  And the parse/capture program 'src/cap'


Use
---

1. Start capturing

  cd db && sudo ../src/cap && cd -

  The application has to run as root, which is a potential security hazard.

	This currently produces prodigious amounts of output; sue me.

2. Generate a graph after letting the capture run for a while.

	cd graph && ./graph.sh && cd -

	This will generate a graph at graph/net.png

  This runs a bunch of php scripts.

3. View the graph via the web/ crap

  I suggest you map/symlink apache to the web/ directory if you are capable


TODO
----

* Replace php-based "graph"ing scripts with lua-based ones, and include lua
  runtime and libraries within the lanmap2 package; this will simplify the
  dependencies and allow more people to run it.

* There are always more protocols to support

* I'd eventually like to turn the graphing portion into a full-on IDE-like
  environment where one can filter machines, traffic and identify unknown machines,
  erroneous situations, etc.