cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
aponzo
Engaged Sweeper

So I'm on a trial on LS and very interested in the rouge asset detection.

From what I've read, if I install the scan server to my DHCP Server, it should see DHCP requests from all my subnets and register them as assets ?
Or do I need to add in a scope for all my subnets to that DHCP server?

I've got the Scan Server installed, got the setting to Enabled, and no assets are showing under the Inventory > Asset Radar section.

1 ACCEPTED SOLUTION
StillGoing
Engaged Sweeper III

Asset Radar isn't reading anything directly from the DHCP server (so you don't really have to install it on that server). Rather it is reading DHCP request and response packets on the network, so you'll just need a scanner with an interface on the subnets on which you want to gather information.

It's a little more complicated than that. I had a recent ticket open about asset radar functionality, and got some really good information on how it works, so I am pasting it here pretty much verbatim. It wasn't specific to the DHCP question, but does provide pretty good details on how asset radar works; DHCP is simply one of the protocols it leverages to pull information about the devices on the network (my question was specifically about correlating scanned data with InTune data, which is why there are references to InTune).

Leveraging Asset Radar with MAC Addresses:

  1. Enable Asset Radar to capture packets, which might fetch IPs and potentially MAC addresses. (Asset radar is normally enabled by default).
  2. Ensure Intune scans include MAC addresses, allowing potential merging with scanned devices.
  3. Remember, Asset Radar logs rely on MAC addresses for linking; unmatched MACs will result in question marks.

More information on Asset Radar can be found in the following KB article: https://community.lansweeper.com/t5/scanning-your-network/introduction-to-asset-radar/ta-p/64508

Packets (IP/MAC combinations) captured via Asset Radar don't always necessarily generate new assets or link to existing assets. The asset radar packet capturing isn't fully integrated into asset scanning. When asset radar is enabled (not set to logging only), IP addresses found by capturing packets are sent to the scanning queue, and this IP then runs through the regular IP scanning logic. 

It's important to note that only the IP address is sent to the queue, the scanning queue currently cannot handle IP/MAC address combinations. This may result in the IP scan not finding a MAC address, while asset radar did. The asset radar logs are joined on asset tables based on the MAC address. If no asset with the same MAC address is found, a question mark will be shown, as no asset was found that with a high degree of certainty is related to that specific log entry.

Lansweeper can retrieve MAC addresses from assets through regular scanning in the following ways:

  1. By authenticating successfully via a protocol that will return a MAC address, e.g. WMI (Windows), SNMP, SSH (Linux/Mac), etc.
  2. By performing an ARP lookup (locally on the scanning server). This will only return a MAC address for assets in the same subnet as your scanning server.

If you're capturing packets from outside of the subnet of your scanning server, you may end up with a situation where your asset radar log entry for a specific IP address is more detailed than the asset that was generated for the same IP address, most notably the log having a MAC address while the asset does not. In this case, a link cannot be made.

Lansweeper uses the network interface that's highest in the binding order for IP scans, which may not be the interface that is in the same subnet as the captured packet. To ensure that the resulting assets from captured packets always have a MAC address, you'd need to use multiple scanning servers and limit yourself to an interface per server.

View solution in original post

3 REPLIES 3
StillGoing
Engaged Sweeper III

Asset Radar isn't reading anything directly from the DHCP server (so you don't really have to install it on that server). Rather it is reading DHCP request and response packets on the network, so you'll just need a scanner with an interface on the subnets on which you want to gather information.

It's a little more complicated than that. I had a recent ticket open about asset radar functionality, and got some really good information on how it works, so I am pasting it here pretty much verbatim. It wasn't specific to the DHCP question, but does provide pretty good details on how asset radar works; DHCP is simply one of the protocols it leverages to pull information about the devices on the network (my question was specifically about correlating scanned data with InTune data, which is why there are references to InTune).

Leveraging Asset Radar with MAC Addresses:

  1. Enable Asset Radar to capture packets, which might fetch IPs and potentially MAC addresses. (Asset radar is normally enabled by default).
  2. Ensure Intune scans include MAC addresses, allowing potential merging with scanned devices.
  3. Remember, Asset Radar logs rely on MAC addresses for linking; unmatched MACs will result in question marks.

More information on Asset Radar can be found in the following KB article: https://community.lansweeper.com/t5/scanning-your-network/introduction-to-asset-radar/ta-p/64508

Packets (IP/MAC combinations) captured via Asset Radar don't always necessarily generate new assets or link to existing assets. The asset radar packet capturing isn't fully integrated into asset scanning. When asset radar is enabled (not set to logging only), IP addresses found by capturing packets are sent to the scanning queue, and this IP then runs through the regular IP scanning logic. 

It's important to note that only the IP address is sent to the queue, the scanning queue currently cannot handle IP/MAC address combinations. This may result in the IP scan not finding a MAC address, while asset radar did. The asset radar logs are joined on asset tables based on the MAC address. If no asset with the same MAC address is found, a question mark will be shown, as no asset was found that with a high degree of certainty is related to that specific log entry.

Lansweeper can retrieve MAC addresses from assets through regular scanning in the following ways:

  1. By authenticating successfully via a protocol that will return a MAC address, e.g. WMI (Windows), SNMP, SSH (Linux/Mac), etc.
  2. By performing an ARP lookup (locally on the scanning server). This will only return a MAC address for assets in the same subnet as your scanning server.

If you're capturing packets from outside of the subnet of your scanning server, you may end up with a situation where your asset radar log entry for a specific IP address is more detailed than the asset that was generated for the same IP address, most notably the log having a MAC address while the asset does not. In this case, a link cannot be made.

Lansweeper uses the network interface that's highest in the binding order for IP scans, which may not be the interface that is in the same subnet as the captured packet. To ensure that the resulting assets from captured packets always have a MAC address, you'd need to use multiple scanning servers and limit yourself to an interface per server.

aponzo
Engaged Sweeper

First post via https://community.lansweeper.com/t5/general-discussions/asset-radar-bug/m-p/16123

Also under https://community.lansweeper.com/t5/scanning-your-network/introduction-to-asset-radar/ta-p/64508
" you can see the type of packet that was captured, as well as the retrieved information from these packets. ARP, DHCP, UDP and UDPv6 packets are captured"

Mister_Nobody
Honored Sweeper

>From what I've read

Could you show links where describe such functions?