What you are probably seeing is that NMAP is only scanning "popular" ports by default. You can tell it to scan everything if you want by using the -p option, such as:
% nmap 1.2.3.0/24 -p1-65535
Since people don't normally run "interesting" services on most ports, they aren't scanned by default.

If you have control over the upstream, as in, all the WAN connections funnel through a single connection to the Internet, you might want to use libpcap to tally up traffic and look for this kind of thing. With a bit of effort, you could probably configure Snort to do the job of looking for "unauthorized" servers, provided you can express that sort of thing in the config file. Perl might help here, to generate the rules text.

Snort is actually better because if the deviants on your network discover how you are ratting them out, they could get clever and block your IP. When you scan them, everything could look OK, but in fact they are merrily running a 32 player Unreal server shielded from view. If the traffic is on the network, Snort can find it. In a switched environment you just need RMON support, but virtually every switch supports this for diagnostics.

Either way, once you get your raw data from NMAP, or Snort, or even Perl itself, the next step is to turn it into useful reports, no?

In reply to Re^5: Low Level Network Connections by tadman
in thread Low Level Network Connections by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.