Now, I have not setup Network monitor yet because I just switched over to R9. However, I was reading about what it does and I have a few question about the monitor feature. Can you have a monitor setup to alert you when something with new mac address enters your network? If so, can you go a few steps further and filter the first three characters of the mac address in the alert? This is so that we could filter by manufacturer of everything on the network. If anyone has any information on this, it would be greatly appreciated. Thanks
As Network Monitor relies on Discovery for discovered devices on the network -- You can configure within the Discovery module an alert when a device changes IP Address:
However, I do not believe there is a built-in option to alarm when a device changes MAC Address.
What exactly are you trying to perform?
There may be a way to perform this with an Agent Procedure or someone on the community may already have created one and be willing to share it.
We are trying to monitor a network for changes in MAC address, so that we know when something new is added to a network. We can't do this by IP because we can not have the machines statically assigned for other reasons. The reason for needing this is because we need to know where, by location each machine is located. So if a machine is moved from one site to another, we get an alert telling us that there is a new MAC address at this location.
I understand you have alot of elastic IP's that are constantly changing. So the alert when new IP is detected will not work for you.
Would the alert when new device is detected on the network not suffice?
You may already be familiar with this alert as it is located right next to the alert on new IP:
Aside from that, this request would probably require some sort of custom procedure with varying logic.
Will the Alert apply to computers with agents though or just agentless devices?
I'll take a crack a this. I have Discovery configured to scan each network every hour and alert on new *device* and new *IP*. I get two emails when something is found that include the information below:
Message #1: New IP Address for unknown-F8:1E:DF:D5:D5:A3. A new IP address 192.168.1.105 was detected by the NMAPProbe probe NMAP_probe_<network_name>
Message #2: New Device Discovered. A new Mobile_iOS unknown-F8:1E:DF:D5:D5:A3 was discovered by the NMAPProbe probe NMAP_probe_<network_name>
I have chosen to receive email alerts but alarms and tickets can also be generated. While not perfect it has caught folks connecting personal devices where they shouldn't. Because hourly is the smallest scan increment it won't catch something that was connected then disconnected before the next scan. However, this is manageable and way better than not scanning at all - for us - that is.
nice, nice, but at our end the discovery each time stays in "deep scanning" and never seems to end !!
HardKnoX, I believe it should alert for any device, regardless if it has an agent or not.
email@example.com, Are you still seeing this? You mentioned to me you were going to build a new server and I have not heard back on this.
Feel free to PM me if you want to discuss.
yes indeed, a new server is being build from scratch and today I got the mail that our account is enabled for the 9.1 to be installed. So we will go on next week with the installation but before we will probably ask for a test license but that is in hands of my responsable.