‎02-02-2024 12:14 AM
So I'm on a trial on LS and very interested in the rouge asset detection.
From what I've read, if I install the scan server to my DHCP Server, it should see DHCP requests from all my subnets and register them as assets ?
Or do I need to add in a scope for all my subnets to that DHCP server?
I've got the Scan Server installed, got the setting to Enabled, and no assets are showing under the Inventory > Asset Radar section.
Solved! Go to Solution.
‎02-09-2024 09:56 PM
Asset Radar isn't reading anything directly from the DHCP server (so you don't really have to install it on that server). Rather it is reading DHCP request and response packets on the network, so you'll just need a scanner with an interface on the subnets on which you want to gather information.
It's a little more complicated than that. I had a recent ticket open about asset radar functionality, and got some really good information on how it works, so I am pasting it here pretty much verbatim. It wasn't specific to the DHCP question, but does provide pretty good details on how asset radar works; DHCP is simply one of the protocols it leverages to pull information about the devices on the network (my question was specifically about correlating scanned data with InTune data, which is why there are references to InTune).
Leveraging Asset Radar with MAC Addresses:
More information on Asset Radar can be found in the following KB article: https://community.lansweeper.com/t5/scanning-your-network/introduction-to-asset-radar/ta-p/64508
Packets (IP/MAC combinations) captured via Asset Radar don't always necessarily generate new assets or link to existing assets. The asset radar packet capturing isn't fully integrated into asset scanning. When asset radar is enabled (not set to logging only), IP addresses found by capturing packets are sent to the scanning queue, and this IP then runs through the regular IP scanning logic.
It's important to note that only the IP address is sent to the queue, the scanning queue currently cannot handle IP/MAC address combinations. This may result in the IP scan not finding a MAC address, while asset radar did. The asset radar logs are joined on asset tables based on the MAC address. If no asset with the same MAC address is found, a question mark will be shown, as no asset was found that with a high degree of certainty is related to that specific log entry.
Lansweeper can retrieve MAC addresses from assets through regular scanning in the following ways:
If you're capturing packets from outside of the subnet of your scanning server, you may end up with a situation where your asset radar log entry for a specific IP address is more detailed than the asset that was generated for the same IP address, most notably the log having a MAC address while the asset does not. In this case, a link cannot be made.
Lansweeper uses the network interface that's highest in the binding order for IP scans, which may not be the interface that is in the same subnet as the captured packet. To ensure that the resulting assets from captured packets always have a MAC address, you'd need to use multiple scanning servers and limit yourself to an interface per server.
‎02-09-2024 09:56 PM
Asset Radar isn't reading anything directly from the DHCP server (so you don't really have to install it on that server). Rather it is reading DHCP request and response packets on the network, so you'll just need a scanner with an interface on the subnets on which you want to gather information.
It's a little more complicated than that. I had a recent ticket open about asset radar functionality, and got some really good information on how it works, so I am pasting it here pretty much verbatim. It wasn't specific to the DHCP question, but does provide pretty good details on how asset radar works; DHCP is simply one of the protocols it leverages to pull information about the devices on the network (my question was specifically about correlating scanned data with InTune data, which is why there are references to InTune).
Leveraging Asset Radar with MAC Addresses:
More information on Asset Radar can be found in the following KB article: https://community.lansweeper.com/t5/scanning-your-network/introduction-to-asset-radar/ta-p/64508
Packets (IP/MAC combinations) captured via Asset Radar don't always necessarily generate new assets or link to existing assets. The asset radar packet capturing isn't fully integrated into asset scanning. When asset radar is enabled (not set to logging only), IP addresses found by capturing packets are sent to the scanning queue, and this IP then runs through the regular IP scanning logic.
It's important to note that only the IP address is sent to the queue, the scanning queue currently cannot handle IP/MAC address combinations. This may result in the IP scan not finding a MAC address, while asset radar did. The asset radar logs are joined on asset tables based on the MAC address. If no asset with the same MAC address is found, a question mark will be shown, as no asset was found that with a high degree of certainty is related to that specific log entry.
Lansweeper can retrieve MAC addresses from assets through regular scanning in the following ways:
If you're capturing packets from outside of the subnet of your scanning server, you may end up with a situation where your asset radar log entry for a specific IP address is more detailed than the asset that was generated for the same IP address, most notably the log having a MAC address while the asset does not. In this case, a link cannot be made.
Lansweeper uses the network interface that's highest in the binding order for IP scans, which may not be the interface that is in the same subnet as the captured packet. To ensure that the resulting assets from captured packets always have a MAC address, you'd need to use multiple scanning servers and limit yourself to an interface per server.
‎02-02-2024 06:13 AM
First post via https://community.lansweeper.com/t5/general-discussions/asset-radar-bug/m-p/16123
Also under https://community.lansweeper.com/t5/scanning-your-network/introduction-to-asset-radar/ta-p/64508
" you can see the type of packet that was captured, as well as the retrieved information from these packets. ARP, DHCP, UDP and UDPv6 packets are captured"
‎02-02-2024 05:35 AM
>From what I've read
Could you show links where describe such functions?
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now