Abstract
Understanding logical network connectivity is essential in network topology mapping especially in a fast growing network where knowing what is happening on the network is critical for security purposes and where knowing how network resources are being used is highly important. Mapping logical communication topology is important for network auditing, network maintenance and governance, network optimization, and network security. However, the process of capturing network traffic to generate the logical network topology may have a great influence on the operation of the network. In hierarchically structured networks such as control systems, typical active network mapping techniques are not employable as they can affect time-sensitive cyber- physical processes, hence, passive network mapping is required. Though passive network mapping does not modify or disrupt existing traffic, current passive mapping techniques ignore many practical issues when used to generate logical communication topologies. In this paper, we present a methodology which compares topologies from an idealized mapping process with what is actually achievable using passive network mapping and identify some of the factors that can cause inaccuracies in logical maps derived from passively monitored network traffic. We illustrate these factors using a case study involving a hierarchical control network.
Highlights
An existing physical network topology is not always the same as the original documented version of the physical network topology developed for the network
Their algorithmic solution was based on Simple Network Management Protocol (SNMP), which uses information obtained from address forwarding tables containing Medium Access Control (MAC) addresses that are reachable from each device interface
When comparing the expected topologies with the actual topologies, our analysis showed that the topologies were not aligned, as follows. a) Undiscovered expected nodes In Fig. 12, many nodes were missing when compared with the expected Fig. 8
Summary
An existing physical network topology is not always the same as the original documented version of the physical network topology developed for the network. Network traffic analysis is a fundamental tool used in constructing network topologies Information such as the source address, destination address and communication protocols obtainable from observed network data packets, is a prerequisite for network topology mapping [21]. We present our experimental methodology which involves deriving an expected logical topology from the documented physical network topology, generating the observed logical topology from passively captured network traffic and comparing the two logical topologies to identify the differences between what is observable in theory and in practice.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
