Zachary Loeber

The personal website of Zachary Loeber.

Create Your Own Network Assessment Appliance

In this write-up I setup several network assessment tools which can be used in the discovery process of a new environment. This can be useful for a newly hired sysadmin or a consultant in rapidly gathering information to assess the health and/or state of a network.


I often find myself assessing a foreign network infrastructure for performance or other issues. Depending on the size of the environment, digesting everything can be daunting without the help of some third party tools. I’ve been using a custom Linux VM on my workstation that has all kinds of tools specifically for gathering information about a network’s performance, layout, and statistics. I’ve decided to retool the VM I currently use and take better notes on what I install so others may do the same if they so desire.

List of tools installed


Nedi is probably the coolest network information gathering tool out there. You can create maps, population reports, and get more information than you ever wanted to know about an environment. The catch is that you really want to enable cdp/lldp (FDP?) on all infrastructure devices and make sure that they all have an SNMP read-only string configured. You also gain benefits by setting the SNMP location string in a particular format.

This format (directly from the nedi site) is as follows:

Region;City;Building;Floor;[Room;][Place within room;][Whatever additional info you want]

Example SNMP location string for a device:

Illinois;Chicago;Main Station;5;DC;Rack 17;7-8

Even if you don’t have the time to set all these locations on all devices the information gathered from Nedi (that is more of a task for the system administrator as it requires knowledge of device placement and such ahead of time), the information gathered with the tool still very valuable for performing analysis of an environment. Nedi is really meant to squat on the network and gather information over a period of time. In this article I do not set it up with any cron jobs as I normally run this appliance from my laptop for short term engagements for general environment analysis only. I use a few other applications to gather performance metrics for short periods of time that I’m on site.


This is one of those hidden gems which I’m surprised more people are not using. Observium terms itself as:

…an autodiscovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more.

Observium has grown out of a lack of easy to configure network monitoring platforms. It is intended to provide a more navigable interface to the health and performance of your network. Its design goals include collecting as much historical data about devices as possible, being completely autodiscovered with little or no manual intervention, and having a very intuitive interface.

I use Observium as an alternate way of mapping out a network by interface. Here is a quick example of what such output may look like with a couple of HP switches at the core connected to each other and to a few other cisco switches:

Observium Port Mapping

Figure 1: Example Observium Map

I also use it for a short term performance monitor of an environment’s equipment. As an example, I once used it to determine that a random network outage that lasted less than a minute was isolated to an old catalyst switch with an IOS bug that forced a reboot from memory over-consumption.

The BIG caveat to using this tool is that any device added needs to be able to resolve in DNS. It is the author’s preference (and I kinda do not blame the man, not enough people fully resolve their infrastructure equipment).


Ok, this one was going to be NetworkAuthority (which I’ve setup in the past). But when I went to go install it again I was unsurprised to find out that it had died. Fortunately an open sourced project forked from it called Xerela. Even more fortunate is that the project is windows only with a nice installer. So this isn’t going to be officially covered in this install guide but I felt the need to give the project props in hopes that it stays alive 🙂 If you do install this on your laptop you will need the Java SDK installed so may as well download that ahead of time. Oh, and install perl as well.

In the future I may shove Rancid into this position but the goal of Rancid is more long term rather than assessment oriented. It is great at collecting configurations but the primary use is to collect and diff the configs to be able to know what is changing in your environment. If you go onsite for a day or two the effort to setup Rancid just to get a copy of device configs is not really worth it.


I use this tool to gather information concerning internet latency. Sometimes network issues are not necessarily internal but rather provider based. This can be used to provide evidence of latency issues which a provider may be having. And the graphs it produces look pretty on a deliverable report as well J


Nipper is used for firewall configuration auditing. Nipper became a commercial product some time ago but, with a little work, you can still use the fork of the OSS version though. Generating reports from this appliance is not as easy as using NipperME but it is certainly not impossible. I don’t cover NipperME as this appliance is really meant to be headless in use. I may go into the many windows tools I use for network analysis in a future write up though.


When installing ubuntu at the install screen press F4 for modes and select the minimal virtual machine install mode. Select the OpenSSH Server and the LAMP Server options. Create your user and a root mysql password and keep a note of them.

Get some base software and prep your sandbox some:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install apache2 libapache2-mod-php5 mysql-server libnet-snmp-perl php5-mysql libnet-telnet-cisco-perl php5-snmp php5-gd libalgorithm-diff-perl rrdtool librrds-perl nano htop ipcalc unzip  ipmitool rrdtool fping graphviz libnet-ssh-perl libnet-ssh2-perl nmap php5-cli php5-snmp imagemagick whois mtr-tiny php-pear snmp nmap ipcalc subversion smokeping sendmail  liblog-log4perl-perl liblog-dispatch-perl libsnmp-perl php5-ldap
sudo pear install Net_IPv6
sudo pear install Net_IPv4
mkdir ./Applications


Now time for nedi.

cd /tmp
wget -O  ''
unzip ./ -d ~/Applications/
sudo su -
mkdir /var/www/nedi
tar -C /var/www/nedi -xzvf ./nedi-1.0.7.tgz
mkdir /var/www/nedi/log
chmod 775 -R /var/www/nedi/
perl -pi -e 's/\/var\/nedi/\/var\/www\/nedi/g' /var/www/nedi/nedi.conf
perl -pi -e 's/snmpwrite/#snmpwrite/g' /var/www/nedi/nedi.conf
chown www-data:www-data -R /var/www/nedi
/var/www/nedi/ -i
<enter in "root" for the user and your root mysql password for the password>
echo -e '<VirtualHost *:80>' >>/etc/apache2/sites-available/nedi
echo -e '  DocumentRoot /var/www/nedi/html/' >>/etc/apache2/sites-available/nedi
echo -e '  ServerName  localhost' >>/etc/apache2/sites-available/nedi
echo -e '  <Directory "/nedi">' >>/etc/apache2/sites-available/nedi
echo -e '    AllowOverride All' >>/etc/apache2/sites-available/nedi
echo -e '    Options FollowSymLinks MultiViews' >>/etc/apache2/sites-available/nedi
echo -e '  </Directory>' >>/etc/apache2/sites-available/nedi
echo -e '</VirtualHost>' >>/etc/apache2/sites-available/nedi
a2ensite nedi
service apache2 restart

There, now you are able to access nedi at http:///nedi/html with the admin/admin credentials. If you find you are reusing this tool for many sites you can easily customize it by logging in, going to System -> Files, and using the first dropdown in the upper left to select /var/www/nedi/seedlist and/or /var/www/nedi/nedi.conf to modify snmp/logon string and initial seedlists for an environment. Then clear things out from the last engagement you may have done by going to the System -> Nedi area, selecting the “Init” radio button on the right and entering in root for your user and your mysql password for the password. Execute that puppy and all data cleared. Finally select verbose, protocol, node dev, FQDN, Route, and OUI checkboxes and the “discover” radio box. Click execute again and depending on the environment size wait around for a bit while watching all that beautiful information roll down on the screen.

As a bonus I also include NeDi2GraphML. This can be used to create some pretty wicked looking diagrams which you can edit with yED. To create a diagram you can run the following after having performed your initial collection.

cd ~/Applications/NeDi2GraphMLv0.13/
perl -o NiceSchematic.graphml --icn icons.csv

Then transfer NiceSchemmatic.graphml to your workstation for editing as you see fit.


Setup your observium home and get it installed (I ran into issues not running observium from opt so that is why it is there)

sudo su -
mkdir -p /opt/observium && cd /opt
svn co observium
cd observium
cp ./config.php.default ./config.php
mysql -u root -p

<mysql root password>
GRANT ALL PRIVILEGES ON observium.* TO 'observium'@'localhost' IDENTIFIED BY 'dbpa55';
perl -pi -e 's/USERNAME/observium/g' /opt/observium/config.php
perl -pi -e 's/PASSWORD/dbpa55/g' /opt/observium/config.php
ln -s /usr/bin/pear /usr/share/pear
sudo php includes/sql-schema/update.php
sudo mkdir graphs rrd
sudo chown -R www-data.www-data observium
./adduser.php admin admin 10
echo -e '33  */6   * * *   root    cd /opt/observium/ && ./discovery.php -h all >> /dev/null 2>&1' >>/etc/cron.d/observium
echo -e '*/5 *   * * *   root    cd /opt/observium/ && ./discovery.php -h new >> /dev/null 2>&1' >>/etc/cron.d/observium
echo -e '*/5 *   * * *   root    cd /opt/observium/ && ./poller.php -h all >> /dev/null 2>&1'  >>/etc/cron.d/observium
echo -e '<VirtualHost *:81>' >>/etc/apache2/sites-available/observium
echo -e '  DocumentRoot /opt/observium/html/' >>/etc/apache2/sites-available/observium
echo -e '  <Directory "/opt/observium/html/">' >>/etc/apache2/sites-available/observium
echo -e '    AllowOverride All' >>/etc/apache2/sites-available/observium
echo -e '    Options FollowSymLinks MultiViews' >>/etc/apache2/sites-available/observium
echo -e '  </Directory>' >>/etc/apache2/sites-available/observium
echo -e '</VirtualHost>' >>/etc/apache2/sites-available/observium
a2ensite observium
/etc/init.d/cron reload
a2enmod rewrite
echo -e 'Listen 81' >> /etc/apache2/ports.conf
service apache2 restart

If you will be using observium in an assessment you will gain the most value by adding devices to it early on. It really excels in gathering performance information in a manner which is easy to maneuver through. You can now access observium at http://:81/


This is probably the easiest one to setup. Just add a few external targets to monitor and start the service.

echo -e '+ Internet' >> /etc/smokeping/config.d/Targets
echo -e 'menu = Internet Sites' >> /etc/smokeping/config.d/Targets
echo -e 'title = Internet Sites' >> /etc/smokeping/config.d/Targets
echo -e '++ Google' >> /etc/smokeping/config.d/Targets
echo -e 'menu =' >> /etc/smokeping/config.d/Targets
echo -e 'title =' >> /etc/smokeping/config.d/Targets
echo -e 'host =' >> /etc/smokeping/config.d/Targets
echo -e '++ Yahoo' >> /etc/smokeping/config.d/Targets
echo -e 'menu =' >> /etc/smokeping/config.d/Targets
echo -e 'title =' >> /etc/smokeping/config.d/Targets
echo -e 'host =' >> /etc/smokeping/config.d/Targets
echo -e '++ Reddit' >> /etc/smokeping/config.d/Targets
echo -e 'menu =' >> /etc/smokeping/config.d/Targets
echo -e 'title =' >> /etc/smokeping/config.d/Targets
echo -e 'host =' >> /etc/smokeping/config.d/Targets
echo -e '++ Amazon' >> /etc/smokeping/config.d/Targets
echo -e 'menu =' >> /etc/smokeping/config.d/Targets
echo -e 'title =' >> /etc/smokeping/config.d/Targets
echo -e 'host =' >> /etc/smokeping/config.d/Targets
service smokeping start

To access smokeping go to http:///cgi-bin/smokeping.cgi


This one is pretty easy:

cd /tmp
svn checkout nipper-ng
cd nipper-ng
sudo make install

Then use nipper at the command line to see options for scanning your firewall configuration and generating client consumable deliverables.


I’ve added a few extra applications in this appliance setup which can be used (or not) in an assessment. I ran across a few of them while doing this write up and have not actually used them in a real assessment. But they show potential and are pretty easy to setup so I decided to include them in the appliance. I give minimal instructions on their usage (as I’ve minimally used them). I’ll leave it as an exercise to the reader to determine their worthiness.


I’ve literally never used this before but the project looks promising so I did a very basic setup for future use. Much of what I read from the readme points to a process where you setup a config file, run some scripts in order, and finally run a script which produces an html formatted report. I’m looking forward to using this when the opportunity presents itself.

cd /tmp
wget '' -O switchmap.tar.gz
tar -C ~/Applications -xzvf ./switchmap.tar.gz


This little bad boy is not really new to me but my experience with it is minimal. I decided to add it to the appliance to get more experience with its usage and see if I can gain further assessment information from it for future engagements.

The setup for the appliance is fairly basic. You just need to download it, put it into a php/apache capable directory, and change a few perms.

sudo su -
cd /tmp
wget ‘’ -O ./
unzip ./
mv ./OpenAuditReleaseCandidate ./var/www/openaudit
chmod 777 /var/www/openaudit/scripts/pc_list_file.txt
chmod 777 /var/www/openaudit/audit.config
chmod 777 /var/www/openaudit/include_config*.*
chown -R www-data.www-data /var/www/openaudit/

After this is done go to http:///openaudit and go through the initial configuration steps. Use root/ when asked for database information.

To actually get a domain audit is a bit more of a pain. The general process is to make your appliance available to the network, download a config and a vbs file from it to a DC, modify the config, then run the vbs to start collecting server information to send back up to appliance.

From the Admin->Config page add an ldap connection. After it has been added add a path as well, it may not be immediately discernible where this is done. Simply hover over the ldap connection and select “Add New Path” from the pop-up menu (as shown below). Make the path the root of the domain you are assessing (ie. DC=zacharyloeber,DC=net)

Open-AudIT LDAP Config

Figure 2: Open-AudIT LDAP Config

Then remote to a DC and access http:///openaudit/scripts/ from a web browser, download audit.config and audit.vbs from it to the local machine, and edit audit.config. Below is audit.config pertinent configuration settings (not the entire audit.config, just the areas which are most important)

audit_location = “r”


strComputer = “”

audit_local_domain = “y”

local_domain = “LDAP://dc=zacharyloeber,dc=net”

nmap_subnet = “172.17.0.”            ‘ The subnet you wish to scan

nmap_subnet_formatted = “172.017.000.”    ‘ The subnet padded with 0’s

Then, from that same directory, (where both the audit.config and audit.vbs files are located) run:

cscript.exe audit.vbs

Tying It All Together

We are not really tying these apps together as much as making them usable for you from your laptop. If you are using VMware workstation then you need to setup some NAT love to get things working. Typically VMware workstation will use vmnet8 for NAT so you will want to go into the virtual network editor and setup a few NAT Setting rules on it for your new network info collecting baby.

The primary NAT settings which need to be set are as follows:

Host Port Type Virtual Machine IP Address Description




TCP Nedi, Open-AudIT, Smokeping


TCP Observium


Although this little setup guide only covers a small portion of the tools I use on a daily basis it should be enough for most people to get their feet wet. I do not at all cover the ways which I utilize the data collected from an environment to come to an assessment for a client. This is because each environment and engagement is different. If you are looking for security issues your assessment will be far different than if you are looking for causes of a periodic network slowdown (or not, root/cause analysis can lead to some pretty interesting results). Besides, if you understand networking and infrastructure then you will know what you are looking for far better than I could verbalize.

comments powered by Disqus