3. Additional Data

NP-View and NP-Live can import data from third party systems to enrich the analysis.  The below data files are supported and can manually be imported using drag and drop or if using NP-Connect, files can automatically be imported from a shared network drive. Import configuration files first or with additional data files or a system error will occur.

Hostname

Once network device configuration files have been imported, one can also import a hostname file to add additional hosts to the topology map and asset inventory. The hostname file is a simple text file with two columns: IP address and hostname separate by a tab.  For example:

192.168.0.10    host0
192.168.0.11    host1
192.168.0.100   server0

Address Resolution Protocol (ARP)

The output of the show arp command on a router / switch can be imported into a workspace to create new nodes and associate MAC addresses. The file should include the prompt with the hostname of the device from which the command was executed and the command itself (show arp). For example:

<hostname># show arp
  outside 10.0.0.100 d867.da11.00c1 2
  inside 192.168.1.10 000c.295b.5aa2 21
  inside 192.168.1.12 000c.2933.561c 36
  inside 192.168.1.14 000c.2ee0.2b81 97

Additionally, the arp -a > arp_table.txt command on a Windows computer will output the arp file to a text file.

Interface: 192.168.86.29 --- 0x6
  Internet Address      Physical Address      Type
  192.168.86.1          88-3d-24-76-49-f2     dynamic   
  192.168.86.25         50-dc-e7-4b-13-40     dynamic   
  192.168.86.31         1c-fe-2b-30-78-e5     dynamic   
  192.168.86.33         8c-04-ba-8c-dc-4d     dynamic

Netstat for process list

The output of the Netstat command on Windows and Linux can be saved to a text file and then imported into a workspace. Service information will be extracted from the Netstat output file and added to the host attribute. The flags to use for the Netstat command are:

• On Windows: netstat -abon
• On Linux: netstat -atunp

Netstat for routes / route table dump

The command netstat -rn can provide a list of routes that can be parsed by NP-View and NP-Live. The output of the command show route on Cisco devices can also be parsed. It is important to name the files that include the output of those commands after the hostname of the device where the command was issued (for example: {hostname}.txt). This will enable NP-View and NP-Live to associate the route information with the proper device.

Network and vulnerability scanners: Nmap / Rapid 7 Nexpose / Tenable Nessus / Qualys

The output from network and vulnerability scanners can be imported into a workspace to add new hosts and port information to the topology map and host attributes. The supported scanners are: Nmap (nmap -oX), Nexpose, Nessus, and Qualys. One should save their report using the XML format to properly import into NP-View or NP-Live.

Network tracing

Network tracing logs (PCAP) are useful to troubleshoot issues related to network connectivity. These logs can be obtained from Wireshark software. Tcpdump utility can be used to collect logs from Linux. These files can be imported into a workspace and displayed on a per device basis.