NP-View can import auxiliary data from third party systems to enrich and augment analysis. The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to be displayed
Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables, and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.
Note: This example applies to the loading of any Aux data file but is specific to creating and loading a host file.
First, load a firewall into a workspace and create a custom view with the firewall.
Notice that four hosts are not named. To fix this, create a host file, named hosts.txt, to enrich the information.
The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.
Let's use172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sam
172.30.91.81 Carl
Note: Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.
Save the host file, and import it into the workspace.
Once processed, proceed to the “Manage Views” menu and select a new or existing view to add Auxiliary data to.
Below the Select Devices box, is the Auxiliary Data box.
Choose any of the Auxiliary Data files you've added previously. (This image is not reflective of the example but to illustrate that users may select several Aux files).
For our example a user would see a single file called hosts.txt that would contain the names we've added.
Once the the view is created the updated assets will be displayed on the topology and in the Asset Inventory (on the main menu).
To see how the previous example can be used as a repeatable process let's update those names again, with corrections.
First, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:
172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sammy
172.30.91.81 Carly
Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.
Note: Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.
Note: If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column of the Asset Inventory.
The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:
When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network. Below is a list of data NP-View attempts to import.
Multi-Home hosts are endpoints that have multiple network interfaces. If NP-View identifies hosts with multiple interfaces, the host will be duplicated on the topology with each IP address. For example, the host called 'dual-homed' can be seen three times on the map below.
To resolve this, a 'multi_home_host.txt' file can be manually generated and loaded into NP-View as auxiliary data.
The file must be named 'multi_home_host.txt' and be of the following format:
192.168.135.115 dual-homed
192.168.135.114 dual-homed
192.168.135.113 dual-homed
Where the first field is the IP address and the second field is the name of the host.
When importing the 'multi_home_host.txt' and adding it to a view, the hosts will be connected as follows:
Note: The file can be named as *_multi_home_host.txt -where- *_ is anything preceding multi_home_host.txt.
For example:
tuesday_multi_home_host.txt
web_server_multi_home_host.txt
the_big_kahuna_multi_home_host.txt
ARP files can be used to add hosts as well as MAC addresses for the hosts.
Use 'show arp' to export the ARP table. The file format will be as follows:
<hostname># show arp
outside 10.0.0.100 d867.da11.00c1 2
inside 192.168.1.10 000c.295b.5aa2 21
inside 192.168.1.12 000c.2933.561c 36
inside 192.168.1.14 000c.2ee0.2b81 97
Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.
Distribution# show arp
inside 172.30.90.50 d867.da11.00c1 2
inside 172.30.90.51 000c.295b.5aa2 21
inside 172.30.90.42 000c.2933.561c 36
inside 172.30.91.80 000c.2ee0.2b81 97
inside 172.30.91.81 000c.2ecc.2b82 95
Distribution#
Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.
Use 'show ip arp' to export the ARP table. The file format will be as follows:
<hostname># show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.1 12 00a1.b2c3.d4e5 ARPA GigabitEthernet0/1
Internet 192.168.1.2 5 0011.2233.4455 ARPA GigabitEthernet0/1
Internet 10.0.0.1 - 00bb.ccdd.eeff ARPA GigabitEthernet0/2
Internet 172.16.0.1 3 001e.abcd.1234 ARPA GigabitEthernet0/3
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d
? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160
? (172.17.0.2) at <incomplete> on docker0
? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160
Use 'show arp all' to export the ARP table. The file format will be:
ip address hw address interface flags age
--------------------------------------------------------------------------------
192.168.140.15 00:a1:b2:c3:d4:e5 ethernet1/1 C 45
192.168.140.16 00:11:22:33:44:55 ethernet1/1 C 20
10.10.160.15 00:bb:cc:dd:ee:ff ethernet1/1.160 C 78
10.10.120.15 00:1e:ab:cd:12:34 ethernet1/1.120 C 15
Use 'get sys arp' to export the ARP table. The file format will be as follows:
<hostname> # get sys arp
Address Age(min) Hardware Addr Interface
10.10.140.6 1 14:98:77:84:0c:fd DC-LabPrimary
192.168.140.41 0 50:01:00:02:00:00 Old-Lab
10.10.110.10 0 08:66:1f:05:ad:91 DC-LAB01
10.10.110.13 12 00:50:56:b9:64:ec DC-LAB01
10.10.140.12 0 00:50:56:b9:65:dc DC-LabPrimary
Route tables can be used to add device routes to NP-View.
Use 'show route' to export the route table.
10.1.1.0 255.255.255.0 192.168.1.1 GigabitEthernet0/0
172.16.0.0 255.255.252.0 10.10.10.1 GigabitEthernet0/1
0.0.0.0 0.0.0.0 10.1.1.2 GigabitEthernet0/0
Note that route tables must be loaded at the same time as the configuration file.
Use 'get router info routing-table all' to export the route table.
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 67.23.52.185, wan1, [1/0]
C 10.0.0.0/29 is directly connected, Uplink
C 10.10.5.0/24 is directly connected, DC-Storage
C 10.10.110.0/24 is directly connected, DC-LAB01
Interface tables can be used to add device interfaces that are not listed in the configuration file.
Use 'show interface' to export the interface table.
<device># show interface
Interface Name Security Status Protocol IP Address Mask
------------------------------------------------------------------------
GigabitEthernet0/0 outside 0 up up 10.1.1.1 255.255.255.0
GigabitEthernet0/1 inside 1 up up 192.168.1.1 255.255.255.0
Management0/0 lan 0 up up 10.0.0.1 255.255.255.0
Use 'show ip interface brief' to export the interface table
<device># show interface ip brief
Interface IP Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES manual up up
GigabitEthernet0/1 10.1.1.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
Management0/0 192.168.100.1 YES manual up up
Note that interface tables must be loaded at the same time as the configuration file.
MAC address tables can be used to add MAC addresses to NP-View.
Use 'show mac address-table' to export the mac address table
!--- Cisco ASA Show MAC Address Table Output ---!
Protocol Address Interface
----------------------------------------
Dynamic 000c.292b.a123 GigabitEthernet0/0
Dynamic 0012.3456.7890 GigabitEthernet0/1
Dynamic 000a.bbbb.cccc VLAN1
!--- End of MAC Address Table ---!
Use 'show mac address-table' to export the mac address table
<device># show mac address-table
Mac Address Table
------------------------------------------
Vlan Mac Address Type Ports
----- ----------- -------- -----
1 000a.b7dc.b799 DYNAMIC Gi0/2
1 000c.2979.60af DYNAMIC Gi0/1
1 0012.3456.789a DYNAMIC Gi0/3
1 0012.3456.789b STATIC Gi0/4
Total Mac Addresses for this criterion: 4
In V6.0, support for PCAP and PCAPng files was added to enrich the topology map. NP-View will add endpoints with IP's, MAC addresses and services to the topology map within a custom view.
PCAP files can be quite large and take some time to process in NP-View. NP-View only requires the first 64 bytes of a PCAP packet. To reduce the size of the PCAP file for faster processing, we recommend trimming the file. To trim the file, use a tool such as Wireshark editcap. Editcap is a command-line tool included with Wireshark that allows reducing the size of a pcap file by up to 80%.
from a bash shell or cmd prompt:
editcap -s 64 input.pcap output.pcapwhere:
64: number of bytes to retain per packet.
input.pcap: Original pcap file.
output.pcap: Name of trimmed PCAP file.
The max PCAP file size NP-View can import is 300 MB per file but multiple PCAP files can be added to a workspace and view. Note that the combined file upload limit is <=300 MB so each file may need to be added individually. Like other aux data, PCAP files must accompany one or more primary devices (Firewall, Router or Switch) so the endpoints have subnets to be connected to.
While NP-View can handle a 300MB file, it is more efficient with smaller file sizes. To split a PCAP file into multiple smaller PCAP files for ingestion, use a tool such as Wireshark editcap. Editcap is a command-line tool included with Wireshark that allows splitting PCAP files.
from a bash shell or cmd prompt:
editcap -c <number_of_packets> input.pcap output_prefixwhere:
<number_of_packets>: Splits after the specified number of packets.
input.pcap: Original pcap file.
output_prefix: Prefix for the output files (e.g., output_).
Example:
editcap -c 200000 capture.pcap split_captureThis creates files like split_capture_00000, split_capture_00001, etc. The file extension should remain .pcap or .pcapng and may need to be manually changed.
Our testing has shown that ~200000 packets will crate a resultinbg file in the 100MB range.
Security Onion native format is Stenographer.
To export Stenographer to PCAP, use the following commands.
sudo so-pcap-export "YourStenoQueryHere" outputsudo docker exec -it so-steno stenoread "YourStenoQueryHere" -w /tmp/new.pcapIn V6.1, we added the capability for a view to be created using only a PCAP file.
NP-View can ingest a PCAP as an auxiliary data file for use with a Layer 3 view or as a config file for use as a PCAP only view.
To help NP-View understand the user’s intentions, the file name will be used to delineate between auxiliary data and a config file.
If the file is to be used as auxiliary data, the file can be named almost anything with a .pcap or .pcapng extension. For example.
If the file is to be used as a config file, ‘_config’ must be added to the file name, for example:
When importing PCAP files, one or more PCAP files of either aux or config designation can be loaded into a workspace at onetime. Given the upload file limitations, they may need to be uploaded separately.
Note that for NP-View to treat a PCAP ‘_config’ as a device, NP-View will create a fictitious switch for each imported PCAP file which will appear on the home view and in subsequent views, even though it may not have any connections.
When creating a view with just a PCAP, the PCAP file loaded as ‘_config’ will be selected.
All other devices will be disabled when ‘_config’ is selected including all aux data files.
If the user selects a device first, the PCAP ‘_config’ selection will be disabled.
Once the view is created, only the switch may be visible. This is because the PCAP file is treated as Layer 2 data and the ‘Show layer 2 Connections’ needs to be enabled under topology settings.
Resulting in displaying the PCAP data.
Each endpoint will display the MAC address, device alias, IP address if available and associated services in the info panel.
Note that annotations are available on the Layer 2 map, but asset verification is not as there is only one data source.
To manually collect auxiliary data from Cisco devices, use the following commands and file naming conventions.
Cisco ASA
Cisco IOS/NX-OS
Fortinet
Once all of the files are collected, manually load the files from each device together and separately from other devices for proper file association.
Configuration, interface and route files will be processed together. Configuration files can be loaded with or without route and interface tables.
ARP and MAC files will be displayed as Auxiliary data when creating a view and can be selectively added.
