NP-View can import auxiliary data from third party systems to enrich and augment analysis. The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to be displayed
Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables, and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.
Note: This example applies to the loading of any Aux data file but is specific to creating and loading a host file.
First, load a firewall into a workspace and create a custom view with the firewall.
Notice that four hosts are not named. To fix this, create a host file, named hosts.txt, to enrich the information.
The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.
Let's use172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sam
172.30.91.81 Carl
Note: Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.
Save the host file, and import it into the workspace.
Once processed, proceed to the “Manage Views” menu and select a new or existing view to add Auxiliary data to.
Below the Select Devices box, is the Auxiliary Data box.
Choose any of the Auxiliary Data files you've added previously. (This image is not reflective of the example but to illustrate that users may select several Aux files).
For our example a user would see a single file called hosts.txt that would contain the names we've added.
Once the the view is created the updated assets will be displayed on the topology and in the Asset Inventory (on the main menu).
To see how the previous example can be used as a repeatable process let's update those names again, with corrections.
First, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:
172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sammy
172.30.91.81 Carly
Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.
Note: Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.
Note: If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column of the Asset Inventory.
The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:
When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network. Below is a list of data NP-View attempts to import.
Multi-Home hosts are endpoints that have multiple network interfaces. If NP-View identifies hosts with multiple interfaces, the host will be duplicated on the topology with each IP address. For example, the host called 'dual-homed' can be seen three times on the map below.
To resolve this, a 'multi_home_host.txt' file can be manually generated and loaded into NP-View as auxiliary data.
The file must be named 'multi_home_host.txt' and be of the following format:
192.168.135.115 dual-homed
192.168.135.114 dual-homed
192.168.135.113 dual-homed
Where the first field is the IP address and the second field is the name of the host.
When importing the 'multi_home_host.txt' and adding it to a view, the hosts will be connected as follows:
Note: The file can be named as *_multi_home_host.txt -where- *_ is anything preceding multi_home_host.txt.
For example:
tuesday_multi_home_host.txt
web_server_multi_home_host.txt
the_big_kahuna_multi_home_host.txt
ARP files can be used to add hosts as well as MAC addresses for the hosts.
Use 'show arp' to export the ARP table. The file format will be as follows:
<hostname># show arp
outside 10.0.0.100 d867.da11.00c1 2
inside 192.168.1.10 000c.295b.5aa2 21
inside 192.168.1.12 000c.2933.561c 36
inside 192.168.1.14 000c.2ee0.2b81 97
Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.
Distribution# show arp
inside 172.30.90.50 d867.da11.00c1 2
inside 172.30.90.51 000c.295b.5aa2 21
inside 172.30.90.42 000c.2933.561c 36
inside 172.30.91.80 000c.2ee0.2b81 97
inside 172.30.91.81 000c.2ecc.2b82 95
Distribution#
Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.
Use 'show ip arp' to export the ARP table. The file format will be as follows:
<hostname># show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.1 12 00a1.b2c3.d4e5 ARPA GigabitEthernet0/1
Internet 192.168.1.2 5 0011.2233.4455 ARPA GigabitEthernet0/1
Internet 10.0.0.1 - 00bb.ccdd.eeff ARPA GigabitEthernet0/2
Internet 172.16.0.1 3 001e.abcd.1234 ARPA GigabitEthernet0/3
Use 'arp -a > arp_table.txt' to export the ARP table. The file format will be:
Interface: 192.168.86.29 --- 0x6
Internet Address Physical Address Type
192.168.86.1 88-3d-24-76-49-f2 dynamic
192.168.86.25 50-dc-e7-4b-13-40 dynamic
192.168.86.31 1c-fe-2b-30-78-e5 dynamic
192.168.86.33 8c-04-ba-8c-dc-4d dynamic
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d
? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160
? (172.17.0.2) at <incomplete> on docker0
? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160
Use 'show arp all' to export the ARP table. The file format will be:
ip address hw address interface flags age
--------------------------------------------------------------------------------
192.168.140.15 00:a1:b2:c3:d4:e5 ethernet1/1 C 45
192.168.140.16 00:11:22:33:44:55 ethernet1/1 C 20
10.10.160.15 00:bb:cc:dd:ee:ff ethernet1/1.160 C 78
10.10.120.15 00:1e:ab:cd:12:34 ethernet1/1.120 C 15
Route tables can be used to add device routes to NP-View.
Use 'show route' to export the route table.
10.1.1.0 255.255.255.0 192.168.1.1 GigabitEthernet0/0
172.16.0.0 255.255.252.0 10.10.10.1 GigabitEthernet0/1
0.0.0.0 0.0.0.0 10.1.1.2 GigabitEthernet0/0
Note that route tables must be loaded at the same time as the configuration file.
Interface tables can be used to add device interfaces that are not listed in the configuration file.
Use 'show interface' to export the interface table.
<device># show interface
Interface Name Security Status Protocol IP Address Mask
------------------------------------------------------------------------
GigabitEthernet0/0 outside 0 up up 10.1.1.1 255.255.255.0
GigabitEthernet0/1 inside 1 up up 192.168.1.1 255.255.255.0
Management0/0 lan 0 up up 10.0.0.1 255.255.255.0
Use 'show ip interface brief' to export the interface table
<device># show interface ip brief
Interface IP Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES manual up up
GigabitEthernet0/1 10.1.1.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
Management0/0 192.168.100.1 YES manual up up
Note that interface tables must be loaded at the same time as the configuration file.
MAC address tables can be used to add MAC addresses to NP-View.
Use 'show mac address-table' to export the mac address table
!--- Cisco ASA Show MAC Address Table Output ---!
Protocol Address Interface
----------------------------------------
Dynamic 000c.292b.a123 GigabitEthernet0/0
Dynamic 0012.3456.7890 GigabitEthernet0/1
Dynamic 000a.bbbb.cccc VLAN1
!--- End of MAC Address Table ---!
Use 'show mac address-table' to export the mac address table
<device># show mac address-table
Mac Address Table
------------------------------------------
Vlan Mac Address Type Ports
----- ----------- -------- -----
1 000a.b7dc.b799 DYNAMIC Gi0/2
1 000c.2979.60af DYNAMIC Gi0/1
1 0012.3456.789a DYNAMIC Gi0/3
1 0012.3456.789b STATIC Gi0/4
Total Mac Addresses for this criterion: 4
In V6.0, support for PCAP and PCAPng files was added to enrich the topology map. NP-View will add endpoints with IP's, MAC addresses and services to the topology map within a custom view. The max PCAP size is 200 MB per file but multiple PCAP files can be added to a workspace and view. Note that the combined file upload limit is <200 MB so each file will need to be added individually. Like other aux data, PCAP files must accompany one or more primary devices (Firewall, Router or Switch) so the endpoints have subnets to be connected to.
To split a PCAP file into multiple smaller PCAP files for ingestion, use a tool such as Wireshark editcap. Editcap is a command-line tool included with Wireshark that allows splitting pcap files.
from a bash shell or cmd prompt:
editcap -c <number_of_packets> input.pcap output_prefixwhere:
-c <number_of_packets>: Splits after the specified number of packets.
input.pcap: Original pcap file.
output_prefix: Prefix for the output files (e.g., output_).
Example:
editcap -c 350000 capture.pcap split_captureThis creates files like split_capture_00000, split_capture_00001, etc. The file extension should remain .pcap or .pcapng and may need to be manually changed.
Our testing has shown that ~350000 packets will fall slightly under the 200MB limit.
To manually collect auxiliary data from Cisco devices, use the following commands and file naming conventions.
Cisco ASA
Cisco IOS
Once all of the files are collected, manually load the files from each device together and separately from other devices for proper file association.
Configuration, interface and route files will be processed together. Configuration files can be loaded with or without route and interface tables.
ARP and MAC files will be displayed as Auxiliary data when creating a view and can be selectively added.
